Canadian Cyber Threat Intelligence

Year in Review Report: 2021

The cyber threats for 2021 were truly global in nature. In 2021, many new threat actors made their debut, while existing ones became more targeted and sophisticated in their operations. As Canadian organizations continued their rapid digital transformation, threat actors attempted to take full advantage of the associated risks.

Our report highlights significant cyber threats and trends observed in Canada in 2021. We’ve also included insights into these Canadian key trends to better understand the potential impacts of cyberattacks on government entities, businesses and individuals.

Most cyberattacks were financially motivated, while fewer, but an increasing number, were driven by nation-state threat-actor activity, espionage or profit-making factors.

Some of the most critical sectors of the Canadian economy and social well-being were the most targeted. As threat actors gain access to more sophisticated malware tools and technologies at minimum cost, cyberattacks are expected to become more targeted and potentially more damaging.


Around 62% of Canadian organizations either suffered from a ransomware incident or had an attempted ransomware attack. Additionally, Canada was the 11th most impacted country in the world in terms of the number of ransomware threats.

Key findings

Here are the seven key cyber threat trends we observed in Canada in 2021. We believe these will be worth paying attention to in 2022 and beyond.

Ransomware continues to dominate the Canadian threat landscape

Ransomware attacks continue to be one of the most significant cyber threats to a majority of Canadian organizations. This trend is expected to grow in the coming years, as most victims are willing to pay the ransom to minimize damage. Meticulously designed social engineering campaigns, compromised third parties and software vulnerabilities have been the most abused initial access vectors.

Nation-state-supported threat actors pose an ongoing risk to critical infrastructure

Canada saw a significant number of cyberattacks in 2021. Even though most of the threat actors behind the majority of the campaigns remain unknown, several were carried out by state-backed threat actors. Some of the state-sponsored hacking groups that targeted Canadian entities in 2021 include SparklingGoblin APT and APT31.

Supply chain has become a threat vector

As organizations continue to depend on third-party vendors for increased productivity, the associated cyber risks proliferate. Threat actors are taking advantage of this situation by targeting software supply chains to maximize the impact of their operations. In 2021, many threat actors targeted cloud infrastructure and software vulnerabilities, such as Log4j. A number of attacks also originated from third-party-based compromises in which threat actors gained access to a third-party network and used it as a node to launch attacks against the targeted organization.

High-profile vulnerabilities continue to be exploited

A major trend in 2021 was the proliferation of cyber capabilities. Zero-day vulnerabilities reclaimed a prominent space in cybersecurity conversations, with issues surrounding their research, disclosure and exploitation attracting greater public scrutiny. This scrutiny came largely in relation to indiscriminate targeting and issues of national security, as threat actors of all motivations and capabilities rushed to exploit high-profile vulnerabilities.

Phishing remains a key area of concern

In 2021, there was a steady rise in the number of business email compromise attacks and phishing campaigns. Automated phishing attacks carried out mostly by TA505 threat actors were quite prevalent through the first half of 2021. Threat actors mostly used newly registered domains, random email addresses and different subjects to get past security controls and phish users to click on a landing page, at which point a remote access trojan was installed.

Weak cloud controls emerged as the threat actor’s best ally

One of the key themes we observed in 2021 was the use of weak security controls in the cloud environment. A number of organizations haven’t yet configured their cloud environments with conditional access and other controls. This has led to successful password spray attacks using stolen credentials from the dark web during which threat actors established initial access as well as persistence in the target environment.

PowerShell, Cobalt Strike and RDP are among the most frequently used cyberattack tools

PowerShell, Cobalt Strike and Remote Desktop Protocol (RDP) were the most frequently used tools to carry out cyberattacks in 2021. PowerShell, a popular tool among cybercriminals, facilitates fileless infections. Cobalt Strike is exploited to load malicious shellcode onto the target device and maintain persistent access on the victim’s network. RDP servers are used to breach the target network using automated scanning tools and botnet malware families.

Interested in learning more?

Read the full Canadian cyber threat intelligence report.

What's included in the report:

  1. Overview of the Canadian cyber threat landscape in 2021
  2. Insights into key threat actors that have targeted Canada in 2021
  3. Cyber and data protection threat outlook for 2022 and beyond
  4. Recommendations for C-suite executives and CISOs to increase resilience, reduce risk and enhance their security posture
Follow PwC Canada

Required fields are marked with an asterisk(*)

By submitting your e-mail address, you acknowledge that you have read the privacy statement for this site and you consent to our processing the data in accordance with that privacy statement to include international transfers. If you change your mind at any time, please send an email message to the Chief Privacy Officer.

Contact us

Umang Handa

Umang Handa

Partner, National Cybersecurity Managed Services Leader, PwC Canada

Tel: +1 416 815 5208

Cristina Onosé

Cristina Onosé

Lead, Privacy Advocacy and Thought Leadership, PwC Canada

Tel: +1 416 687 8104