Cybersecurity experts say Burnaby RCMP could have their work cut out for them as they try to identify who was behind an apparent hoax that prompted a massive police response at Metrotown on Friday.
RCMP and Metro Vancouver Transit Police responded in force Friday afternoon, amid reports of a pipe bomb at the SkyTrain station and active shooter in the mall.
Panicked shoppers and commuters were forced to evacuate, but after searching the sites investigators found no threat. Police said they’re now investigating the incident as a potential “swatting” attack.
One person was also arrested in relation to a third phony bomb threat at a Port Moody school, and Mounties said they’re working to determine if the three events were related.
“Swatting” refers to an intentional phony report to police intended to provoke the deployment of an Emergency Response Team, explained BCIT digital forensics and cybersecurity instructor Ilia Lvovsky.
“For example, there’s a hostage situation, or there’s a bomb or there is an active shooter and by that getting the SWAT unit to respond,” he said.
Michael Argast, co-founder of cybersecurity firm Kobalt.io, said the attacks are frequently associated with the online gaming community, though motivations have ranged from pure prank to revenge to attack-for-hire.
“Like many other forms of attacks, once the criminals figure out how to conduct it, once it can get monetized — so there are even swatting services available on the dark web,” he said.
Cybersecurity experts say swatting attacks are a growing problem, though it’s difficult to track exactly how many occur as they may be logged in different ways by differing police agencies.
In 2019, former FBI swatting expert Kevin Kolbye told The Economist the U.S. could be dealing with as many as 1,000 per year. The attacks have been on the bureau’s radar since at least 2008.
While they waste police resources, their consequences can be far more severe.
“It could be deadly,” Lvovsky said — pointing to a 2017 case where a dispute between online gamers led to a fatal swatting attack when police were deployed to an unrelated third person’s home in Wichita, Kansas.
“So a SWAT unit was dispatched to someone else’s address, and as a result of the dispatch, an individual was killed, because when a SWAT unit is dispatched you never know what is going to happen.”
A 26-year-old California man was eventually convicted and sentenced to 20 years in prison in the incident.
In 2020, a Tennessee man died of a heart attack during a swatting incident, and swatting attacks have resulted in numerous cases of property damage.
According to Argast, evolving technology is making it increasingly easy for criminals to hide their identities.
He points to so-called “spoofing” tools that allow a malicious actor to present a false number when making a call — something any Canadian who’s received a CRA scam call in recent years will be familiar with.
“They spoof a local number and unfortunately it’s difficult for emergency services to distinguish that number,” he said.
Criminals have also been able to make use of voice over internet protocol (VoIP) calling to mask their identities, he said.
“Like many cyberattacks, it’s quite difficult to conduct attribution of the source of attacks,” he said.
“It is possible, depending on the right technology and types of forensics investigation, but that doesn’t necessarily mean the police will be successful in this instance if the attacker has been successful at hiding their footprints.”
Despite the challenges, police in Canada have successfully tracked several alleged swatters.
In 2014, four Canadian teens were charged with swatting incidents, including one from Coquitlam who had reported fake plans for a mass shooting in Florida.
In March, a Saksatoon teen was arrested for alleged swatting activities in Canada and the U.S., and just last month, a Manitoba teen was arrested over similar threats in North Carolina.
If Friday’s attack was in line with those previous Canadian incidents, Lvovsky said he believes Burnaby RCMP will have an easier time catching the culprit.
“If it’s a teenager trying to prank somebody, I think it would be rather easy,” he said. “That’s what happened in 2014 with the Canadian teenager. He was bragging about it on Twitter.”
Lvovsky had a message for anyone else thinking of a copycat attack.
“It’s a bad thing to do and people can get hurt,” he said.
“If you think you want to prank someone, find another way. Don’t call emergency services, it’s a very bad way to do it and you will probably get caught.”