The Quebec government is shutting down about 3,992 government websites as a preventive measure, Digital Transformation Minister Eric Caire announced on Sunday.
At a news conference, he said the province was responding to the discovery of a vulnerability in the open-source Apache Log4j package used by many websites and services.
The exploit, which was identified Friday, would allow attackers to get into servers without permission and take control.
After commissioning an analysis of the threat this posed, Caire said it was determined that the risk posed by an attack outweighed the drawbacks of shutting down government sites, including those in the education and health departments.
Cyber-defence teams, which have been working since Friday, are going through each site to determine if it has the fault and either clearing it to go back online or installing a patch.
“We’re kind of looking for a needle in a haystack,” Caire said. “Not knowing which websites use the software, we decided to shut them all.”
Caire said the government doesn’t keep an inventory of which websites use the Apache software.
“It’s like saying how many government offices use 60-watt bulbs, we have to go around and look at each one of them,” Caire said, and it would take days to go through them all.
Quebec.ca and the Clic Santé portal used for booking COVID-19 vaccine appointments were already back online as of Sunday afternoon, while the site for Revenue Quebec among others was still down.
Internal government websites inaccessible to the public “are still being used, but will also be inspected,” Caire said.
Caire said the provincial vaccine passport system was never at risk, saying it doesn’t require the Apache software.
“At present, we have no indication that we’ve been targeted by a successful attack,” Caire said. “The decision is preventive, not reactive.”
Later Sunday, the city of Montreal followed suit, temporarily suspending its websites and online services.
Marc-Etienne Léveillé, a cybersecurity expert for the international internet security company ESET, said global internet traffic has spiked significantly since Friday, adding he’s noticed many users trying to find vulnerable services to hack.
The Canada Revenue Agency, which took similar precautions by taking its web-based services offline after learning of the potential vulnerability on Friday, issued a statement saying nothing so far suggests its systems have been compromised.
Léveillé welcomed the government’s precautionary measures, saying it might have prevented major data breaches.
“One of the big problems was that everyone was made aware of the flaw at the same time, Léveillé said. ”The developers and its users didn’t have time to correct the issue before people started to jump on the vulnerability. And since there are a lot of systems that use the software across the world, it will take many months to find which ones are vulnerable to that flaw.“
Federal Defence Minister Anita Anand issued a statement Sunday saying the government is aware of the security risk and calling on Canadian organizations to “pay attention to this critical internet vulnerability.”
“Out of an abundance of caution, some departments have taken their services off-line while any potential vulnerabilities are assessed and mitigated,” Anand said. “At this point, we have no indication these vulnerabilities have been exploited on government servers.”
Apache published a security bulletin on Friday listing the vulnerability as “critical,” its highest level. The issue is in Log4j, a software library used by the popular web server software. Governments quickly issued alerts including the United States, Australia and New Zealand.