Canada's House of Commons has been hit by a cyber attack, believed to be the result of a recently-exploited Microsoft SharePoint zero-day.
According to an email sent to staff and shared with CBC News, the event took place last Friday. The hackers gained access to a database containing information used to manage computers and mobile devices, much of which is not available to the public.
This includes employees' names, job titles, office locations, and email addresses, as well as information regarding their House of Commons-managed computers and mobile devices.
As of yet, no group has claimed responsibility for the House of Commons attack, but it's widely tipped to have been the work of Salt Typhoon, the Chinese state-linked advanced persistent threat (APT) group.
According to a national cyber threat assessment from the Canadian Centre for Cyber Security, at least 20 networks associated with Canadian government agencies and departments have been compromised by China-linked threat actors over the last four years.
At present, there's no concrete information on how many employees have been affected by the breach, though the House of Commons is carrying out an investigation.
The email to staff warned them to be on the lookout for scammers using the stolen data for phishing attempts.
This is a common tactic used by threat actors in the wake of data breaches, according to Javvad Malik, lead security awareness advocate at KnowBe4.
"The stolen data can be weaponized for tailored phishing and impersonation against officials. Staff will likely receive convincing emails, texts, and calls leveraging the job and device details that have been stolen," he said.
"Priority should be given to provide clear guidance and strict verification for requests along with a strong reporting culture so that people can work together to help secure the organization."
Speculation over source of the breach is mounting
Speculation over the source of the breach has been mounting since disclosure, with suggestions it could have been a result of a recent SharePoint vulnerability.
Andrew Costis, engineering manager of the Adversary Research Team at AttackIQ, noted that the breach came “shortly after Microsoft issued an alert regarding a SharePoint zero day”.
The SharePoint flaw, tracked as CVE-2025-53770, has a CVSS score of 9.8, Costis added. First discovered in May, Microsoft warned late last month that an exploit exists in the wild.
It allows malicious actors to gain unauthorized access to organizations’ infrastructure using remote code execution (RCE), which in turn gives them access to all SharePoint content, including internal configurations and file systems.
"In recent weeks, vulnerabilities in Microsoft platforms like Exchange and SharePoint have led to data breaches at several major organizations, including Google and the US Department of Health and Human Services," said Costis.
"Reports indicate that ransomware groups, such as Salt Typhoon and Warlock, have exploited these vulnerabilities to attack nearly 400 organizations."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
-
Entry-level role cutbacks risk huge future talent shortagesNews AI is eating into graduate jobs, and that brings problems for the internal talent pipeline
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaign
News Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Logitech says zero-day attack saw hackers copy 'certain data' from internal IT systemsNews The incident is believed to have formed part of a campaign by the Clop extortion group that targeted customers of Oracle’s E-Business Suite
-
Google wants to take hackers to courtNews You don't have a package waiting for you, it's a scam – and Google is fighting back
-
Laid off Intel engineer accused of stealing 18,000 files on the way outNews Intel wants the files back, so it's filed a lawsuit claiming $250,000 in damages
-
GitHub is awash with leaked AI company secrets – API keys, tokens, and credentials were all found out in the openNews Wiz research suggests AI leaders need to clean up their act when it comes to secrets leaking
-
When cyber professionals go rogue: A former ‘ransomware negotiator’ has been charged amid claims they attacked and extorted businessesNews The attackers are alleged to have demanded ransoms of up to $10 million
-
CISA just published crucial new guidance on keeping Microsoft Exchange servers secureNews With a spate of attacks against Microsoft Exchange in recent years, CISA and the NSA have published crucial new guidance for organizations to shore up defenses.
