Emissary Panda Hackers Penetrated ICAO Servers in Montreal, CBC/Radio-Canada Says

A CBC/Radio-Canada investigation says hackers penetrated the servers of the International Civil Aviation Organization (ICAO), a United Nations agency based in Montreal, and that the malware allowed them to “trap governments and airlines,” according to documents obtained by CBC/Radio-Canada.

“For the first election cycle in years, US military and intelligence officials have not yet activated a specialized team dedicated to detecting and thwarting foreign threats to elections, according to comments from those agencies to Congress and CNN, alarming some lawmakers and former officials who have served on the team”

CNN

The report says that in November 2016, ICAO suffered the “worst cyberattack in its history,” and that internal documents reveal a “deficient response with delays, obstructions, and negligence,” alongside “attempts to cover up this mismanagement.”

CNN

The investigation says the hacking was “most likely the work of Emissary Panda, a Chinese cyber-espionage group,” and that independent experts commissioned by ICAO uncovered a vulnerable IT network full of flaws that “should have been reported years earlier.”

It also says that four members of ICAO’s Information and Communications Technology (ICT) team attempted to conceal evidence of their own incompetence, “an operation facilitated by the absence of their supervisor.”

CBC/Radio-Canada reports that confidential sources told it that ICAO’s Secretary General Fang Liu “had rejected internal recommendations to investigate ICT team members and their supervisor, James Wan,” and that “All still work at the Organization.”

The same report describes a “watering hole” cyberattack and says that within 30 minutes of ICAO’s hack, the website of at least one of the UN agency’s 192 member states, Turkey, was infected.

Radio-Canada’s account ties the ICAO breach to a specific warning from Lockheed Martin and to a sequence of internal decisions that, it says, left sensitive information exposed.

It says that on November 22, 2016, “a cyber intelligence analyst from Lockheed Martin contacted ICAO's Chief Information Security Officer” to warn that a hacker had control of two of the Organization's servers and was using them to spread malware on foreign government websites.

Le Temps

In the analyst’s email, the attack is described as a “significant threat to the aerospace industry,” and Radio-Canada says ICAO’s information security chief gave the team “one day to take the infected servers offline.”

The investigation says ICAO then contacted a UN-affiliated IT agency in New York to analyze the attack, but that internal documents reveal ICAO’s IT team rejected the UN analysts’ expertise, “failing to respond to emails for days or sending unusable data.”

Only “about two weeks later” did ICAO’s information security chief authorize external analysis of the infected servers, and Radio-Canada reports that on December 7 the New York analysis found the “serious incident” was broader than ICAO had termed it.

It says the mail server, the domain administrator, and the system administrator were affected, giving hackers access to past and current passwords for “more than 2,000 ICAO system users,” and that the attackers could “read, send, or delete any user's emails.”

Radio-Canada further says the spies had access to “the personal files of past and current employees,” “the medical records of those who had used ICAO's clinic,” and “personal information of anyone who had visited ICAO's building or registered on the website.”

The United States material in the provided sources shifts from international aviation cyber risk to the politics and defense posture around U.S. elections, including the Election Security Group (ESG) that is supposed to coordinate intelligence and counter-operations.

“US President reveals he ordered a cyberattack against the Internet Research Agency, a Russian agency specialized in spreading fake news, accused of having disrupted the 2016 U”

Les Echos

CNN reports that “for the first election cycle in years, US military and intelligence officials have not yet activated a specialized team dedicated to detecting and thwarting foreign threats to elections,” citing comments from those agencies to Congress and CNN.

Senator Angus King of Maine, an independent who sits on the armed services committee, told CNN that a failure to activate the team would be a “major national security mistake and I hope that they will correct it in the weeks to come.”

CNN says that for every general and midterm election since the 2020 election, the ESG has been a hub for officials from the National Security Agency and US Cyber Command to “share intelligence and launch counter attacks against trolls from Russia, Iran and elsewhere.”

The article quotes Gen. Joshua Rudd, who told lawmakers at a Senate hearing in response to a question from Hawaii Democratic Senator Mazie Hirono: “I don’t know that an ESG has been established yet, but we are prepared to, as required.”

CNN also includes a warning from Kikta that “The bigger danger is not what foreign actors do, but what Americans believe foreign actors did,” and it says the dormancy of the ESG would be “very concerning” to King “when you consider we’ve been seeing foreign interference occurring in our elections for the past decade – and we know that our adversaries are more enabled and more capable than ever before to cause harm to our democracy.”

In parallel, LISA News describes how the Department of Defense says it is engaged in countering foreign interference and influence in cyberspace through the Joint Election Security Group of Cyber Command and the National Security Agency (NSA), launched in early 2022, with U.S. Army General Paul M. Nakasone saying it is “an enduring and faultless mission for U.S. Cyber Command and the NSA.”

Several of the sources describe U.S. cyber operations aimed at Russia’s Internet Research Agency (IRA) around the U.S. midterm elections, including claims that the Pentagon’s Cyber Command deprived the “troll farm” of Internet access.

Zone Militaire says the Pentagon allegedly deprived a Russian “troll farm” of Internet access during the U.S. midterm elections, describing the alleged goals as flooding social networks with misinformation and creating fake accounts favorable to Donald Trump, using hashtags “#Trump2016 and #Hillary4Prison,” running fake pages to divert certain minority groups from the Democratic Party, and urging them to vote for Green candidate Jill Stein.

Radio-Canada

It says these actions were alleged against “13 Russian nationals,” indicted on February 16, 2018 by Robert Mueller, and that Mueller also named three Russian companies partially owned by Yevgeny Prigozhin, including Concord Management and Consulting LLC, Concord Catering, and the Internet Research Agency [IRA].

Zone Militaire adds that, according to information from the Washington Post, the IRA would be the target of a cyberattack launched by the Pentagon’s Cyber Command on the occasion of the midterm elections held on November 6, 2018, and that the cyberattack consisted of depriving the IRA of Internet access while American citizens went to the polls.

The source quotes an official telling the Washington Post: “It’s as if they unplugged the IRA. They shut it down,” and it says Senator Mike Rounds commented that “Without Cybercom’s efforts, there would have been very serious interferences.”

Les Echos frames the same episode as Donald Trump confirming an American cyberattack against Russia, saying the U.S. president authorized, “two years earlier,” a cyberattack directed at the IRA that reportedly lasted several days at the start of the 2018 midterm elections.

Les Echos quotes Trump recalling the objective as blocking the internet connection of the “trolls” to prevent them from influencing the vote, and it includes Trump’s line: “No one has behaved as harshly toward Russia as I have.”

The sources also frame the stakes of U.S. election cyber defense as a question of authority, timing, and whether the right mechanisms are in place.

“Please note that this article published in 2019 may contain information that is no longer up to date”

Radio-Canada

CNN says the ESG “was the most impactful mission that I got to be a part of at US Cyber Command,” quoting Andrew Schoka, who worked at Cyber Command in the 2020 election cycle, and it adds that the group combines “the unique mission of the NSA and the unique authorities and capabilities of Cyber Command.”

Zone Militaire

CNN reports that Cyber Command and the NSA told it their work continues, with a command spokesperson saying: “U.S. Cyber Command regularly targets actions by malicious foreign cyber actors overseas against the nation, this includes those intent on interfering with our democratic processes,” and an NSA spokesperson saying: “In support of ODNI’s [the Office of Director of National Intelligence’s] whole of IC [intelligence community] effort concerning foreign threats to 2026 elections, we have identified an Election lead that will represent NSA for the IC’s broader ability to counter foreign threats to election security.”

LISA News, by contrast, describes the ESG’s mission as generating intelligence on foreign adversaries, bolstering national defense by sharing information with interagency, industry, and allied partners, and imposing costs on foreign actors attempting to undermine democratic processes, with Horrigan saying “We can't just watch our adversaries: we have to do something about it, whether that means sharing timely information or taking action against that actor.”

Zone Militaire adds that the operation against the IRA was enabled by an order signed by President Trump in August, giving Cyber Command greater latitude to conduct offensive actions below the threshold of armed conflict, and it says “cyber-attacks not likely to cause human losses or substantial damage were authorized.”

It also includes Kremlin spokesperson Dmitry Peskov reacting that there were “an enormous number of attacks from Europe and North America against Russian organizations, individuals and civilians,” and that “This is the reality in which we live,” before adding that these threats made the establishment of a “sovereign Internet” in Russia more necessary than ever.

Taken together, the sources depict a U.S. election security posture where the presence or absence of the ESG, the scope of offensive cyber authorities, and the public narrative of foreign interference all become part of the immediate political and security stakes.