DriftSeasAI Agent Reviews
Home
National Security Archive
Scanned document

Government of Canada, Hackers are Humans Too: Cyber Leads to CI Leads , 2011. Top Secret.

Na

National Security Archive

May 23, 20269 min read

A 2011 CSE briefing reveals how Canada first linked human counter‑intelligence to Russian cyber‑espionage, exposing the human flaws behind state‑level hacking.

Source: Government of Canada, Hackers are Humans Too: Cyber Leads to CI Leads , 2011. Top Secret. Date: Jan 1, 2011 Archive: The Intercept .

Editorial Analysis

Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.

From Cyber‑Counter‑Intelligence to Human‑Factor Insight

The declassified slide deck titled Hackers are Humans Too: Cyber Leads to CI Leads was produced by Canada’s Communications Security Establishment (CSE) in early 2011 and marked “Top Secret//Sensitive Intelligence” with distribution limited to the Five‑Eyes partners. Its immediate purpose was an internal briefing on a nascent CSE program that fused traditional human counter‑intelligence (CI) with emerging cyber‑espionage analysis. The document’s opening slide lists a “primary focus” on a Russian operation codenamed MAKERSMARK, indicating that by 2010‑11 CSE had already identified a specific threat actor and was attempting to map its operational infrastructure.

The broader episode: the rise of state‑backed cyber‑espionage

MAKERSMARK sits within the first wave of openly acknowledged state‑sponsored hacking groups that emerged after the 2007 cyber‑attacks on Estonia and the 2008 Georgian conflict. Those incidents convinced Western intelligence services that cyber‑intrusions were no longer the domain of lone criminals but a strategic tool of nation‑states. Canada, traditionally a “quiet” intelligence player, began to integrate cyber‑collection into its CI apparatus, mirroring similar moves at the NSA and GCHQ. The slide deck’s repeated mantra—Safeguarding Canada’s security through information superiority—captures the doctrinal shift from defensive information assurance to proactive exploitation of adversary networks.

Who is speaking, and what their language reveals

The author is an unnamed CSE analyst, but the tone betrays a senior operational mindset: the presentation stresses “passive infrastructure tasking/contact chaining” as a method for attribution, and repeatedly contrasts “design by geniuses, implemented by morons” when describing MAKERSMARK’s architecture. This blunt assessment signals internal frustration with the adversary’s poor operational security (OPSEC) despite sophisticated tooling. The document also lists “personal browsing,” “social networking,” and even a “crimeware‑infected development shop” as part of the threat actor’s ecosystem, underscoring a key insight—state hackers are still human beings whose personal habits create exploitable gaps.

Reading between the slides

While the slides are terse, several implications emerge. First, the emphasis on “manual monitoring of anomalous network sessions” and “nothing fancy” suggests that CSE’s cyber‑CI capability at the time relied heavily on human analysts rather than automated big‑data platforms. Second, the reference to a “fourth‑party collection” involving the GUMBLAR botnet indicates that CSE was already tracking the intersection of criminal infrastructure and state espionage, a practice that would later become central to the “joint‑use” doctrine embraced by the Five‑Eyes. Third, the repeated warning that “the window to exploit information is short” hints at a nascent operational tempo—CSE aimed not merely to catalog Russian tools but to seize time‑critical intelligence before the adversary hardened its channels.

Legacy and why it still matters

The deck foreshadows contemporary Canadian cyber‑policy, notably the 2013 establishment of the Cyber‑Security and Threat Management Centre and the 2020‑21 “Cyber‑Security Strategy” that explicitly integrates cyber‑CI with traditional intelligence. Moreover, the Five‑Eyes distribution list shows that Canada was feeding its observations into a shared pool that later underpinned joint responses to Russian cyber‑operations such as the 2016 DNC hack and the 2020 SolarWinds intrusion. The candid language about the adversary’s “poor OPSEC” also prefigures the public attribution campaigns that would later label Russian groups “Fancy Bear” and “Cozy Bear.”

In sum, this 2011 slide deck is more than a technical briefing; it is a snapshot of a pivotal moment when Western intelligence services were re‑learning how to treat hackers as human operatives, leveraging their personal mistakes for strategic gain. The document’s focus on attribution, exploitation windows, and the blending of criminal and state resources anticipates the very frameworks that now define allied cyber‑defence. Its declassification offers scholars a rare glimpse into the early internal debates that shaped today’s integrated cyber‑CI posture, reminding us that behind every sophisticated intrusion lies a very human story.

Page 1

TS//SI//REL TO CAN, AUS, GBR, NZL, and USA Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada

Hackers are Humans too

Cyber leads to CI leads

Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information

Canada 1

Page 2

TS//SI//REL TO CAN, AUS, GBR, NZL, and USA Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada

Introductions

  • [illegible]
  • Cyber-counter intelligence
  • My primary focus is MAKERSMARK (Russia)
  • CSEC – Covert Network Threat (CNT) group – New name, same Cyber/CI group you know and love – Cyber and traditional CI sitting side by side – Focused on Foreign Intelligence, not Information Assurance

Safeguarding Canada’s security through information superiority Préserver la sécurité du Canada par la supériorité de l’information Canada 2

Page 3

TS//SI//REL TO CAN, AUS, GBR, NZL, and USA Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada

Goals

  • How do we attribute cyber intrusion sets?
  • How do we go beyond the hacking face of a CNE program?
    • Expose management structure, operators
    • Requirements, technological advances
  • This presentation portrays only one method
    • Passive infrastructure tasking/contact chaining
    • Many other are available

Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canada 3

Page 4
TS//SI//REL TO CAN, AUS, GBR, NZL, and USA
Communications Security Establishment Canada
Centre de la sécurité des télécommunications Canada

# Initial Seed

* Infrastructure tasking
  – Mostly exposed through malware/content delivery
* Careful and manual monitoring of anomalous network sessions
* Nothing fancy
* Not Web 2.0, but it works

Safeguarding Canada's security through information superiority
Préserver la sécurité du Canada par la supériorité de l'information
Canada
4
Page 5

TS//SI//REL TO CAN, AUS, GBR, NZL, and USA Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada

Overview

  • MAKERSMARK
    • Misuse of Operational Infrastructure
    • Poor OPSEC practices

Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canada 5

Page 6

TS//SI//REL TO CAN, AUS, GBR, NZL, and USA Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada

MAKERSMARK (Russian CNE)

Designed by geniuses Implemented by morons

Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canada 6

Page 7

TS//SI//REL TO CAN, AUS, GBR, NZL, and USA Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada

MAKERSMARK

  • The MAKERSMARK less attributed (LA) systems are really well designed
  • This has not translated into security for MAKERSMARK operators
  • Personal browsing through LA systems
    • Workshops, ORBs, and controllers
  • Development shop infected by crimeware
    • 4th party collection

Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canada 7

Page 8

TS//SI//REL TO CAN, AUS, GBR, NZL, and USA Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada

MAKERSMARK: Less Attributed Overview

Satellite Downlink is collected by MM SIGINT Intercept Packet Returned to Attack Station Satellite ISP Transmitter IP Routes to a Satellite Customer Response to Spoofed IP MAKERSMARK Spoofed Source IP Destination Server

Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canada 8

Page 9

TS//SI//REL TO CAN, AUS, GBR, NZL, and USA Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada

MAKERSMARK: Misuse of Infrastructure

  • Less Attributable infrastructure used for highly attributable purposes:
    • Hosting implant callback servers
    • Live testing of new implant protocols
    • Collecting exfiltration
  • This is not CNE best practices

Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canada 9

Page 10

TS//SI//REL TO CAN, AUS, GBR, NZL, and USA Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada

MAKERSMARK: Misuse of LA Systems

  • Personal Social Networking
    • Vkontakt
    • (mail/inbox/bk).ru accounts
  • Personal Email
    • Webmail/POP
    • Personal retrieval through masquerading infrastructure
  • Personal web browsing

Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information

Canada 10

Page 11

TS//SI//REL TO CAN, AUS, GBR, NZL, and USA Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada

MAKERSMARK: 4th party collection

  • Implant development shop infected by GUMBLAR botnet
    • Crimeware
    • Sends pharmaceutical spam
  • Exfiltration to Canadian "bullet proof" host
    • HTTP/FTP logins
    • Collection of MM operator browsing habits
    • MM LiveJournal accounts included in collection

Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canada 11

Page 12

TS//SI//REL TO CAN, AUS, GBR, NZL, and USA Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada

Closing Remarks

  • You have to keep an eye out
    • – A lot of value can be lost by not following leads
    • – Typically the window to exploit information is short
    • – Knowing what to look for is half the battle
  • These exploitation opportunities don't last forever
  • As a CNE program matures, so will its OPSEC

Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canada 24

Page 13

TS//SI//REL TO CAN, AUS, GBR, NZL, and USA Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada

Questions?

Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canada 25

Page 14

NATIONAL SECURITY ARCHIVE

National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu

Keywords

declassifiedNational Security Archive

Sources & References

  1. [1]Government of Canada, Hackers are Humans Too: Cyber Leads to CI Leads , 2011. Top Secret.

Keep reading

More related articles from DriftSeas.

National Security Archive

Office of the National Counterintelligence Executive, Foreign Spies Stealing US Economic Secrets in Cyberspace: Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011 . October 2011. Unclassified. [2708]

This document reports on cyber-enabled economic and industrial espionage between 2009 and 2011 and makes projections for the impact of new technologies, shifting workforce culture, and changes in the focus of foreign collectors.

Jun 1
National Security Archive

Air University Press, Command and Control Warfare: Putting Another Tool in the War-Fighter's Data Base . September 1994. Unclassified. [3272]

This report examines the potential for command and control warfare, or battlefield information warfare, and makes recommendations for its implementation and integration into US doctrine.

Jun 1
National Security Archive

Memorandum to Boris Yeltsin from Russian Supreme Soviet delegation to NATO HQs

This document is important for describing the clear message in 1991 from the highest levels of NATO – Secretary General Manfred Woerner – that NATO expansion was not happening. The audience was a Russian Supreme Soviet delegation, which in this memo was reporting back to Boris Yeltsin (who in June h

Jun 1