cM = CAL name: C2ows Repel ieatho A eocxers A Ad = 1781962 “Gon ECO oo STonesent Eno emesenr | summary Gino SDincustooy: ccTv/PersoN | Cusoicraate - suse: —E ‘AEE RECTION: crowns VIET BODE BOWE) JOR | CrERD/ wavED CrCl Caw atone Cas) JURY SCN OTHER MATTERS Pretminay requested by ERK SJATTENDANCE WAIVED sua: ‘Saw on puBucaTion ‘ouury COUNSEL: Designation of Counsetriteo | ONOTGULTY AGENT/OC NES piucloswre proved section 5393}. AoVsE0 OF LANGUAGE RIGHTS a ‘CO WARRANT: TO HOLD, WACATED/CONTINUE/RELEASED ; "Bunenoorseo Cewcoaseo S pusuc INTEREST RETA Gog F eer CERTIFICATE OF DEFAULT ‘HAIL DETAILS — REMAND: —CFOR SHOW CAUSE BAL) JUDGES ORDER DETENTION: CJORDERED DETAINED CIPRIMARY CISECONDAAY CTERTIARY RELEASES: RELEASE ORDER ©) CASH / PROMISE / VALUABLE SECURITY 5, CONDITIONS ATTACHED © NO CONDITIONS (CISURETY UNNAMED/ SURETY NAME(S}. SURETY DECLARATION: _CUATTACHED __CODISPENSED WITH BY COURT C)COWN CONSENTS 3 summons "ADI REQUESTED BY: © COURT C/CROWN CODEFENCE ACCUSED © DUTY COUNSEL © AGENT GNCS © BY CONSENT REASONS: ©) CONSULT WITH CLIENT/COUNSEL/CROWN C OBTAIN COUNSEL ©) DISCLOSURE C) EARLY CASE RESOLUTION (2 WWITWESS/ INTERPRETER UNAVAILABILITY 1 LACK OF TIME ) NO REASON GIVEN) ACCUSED UNAVAILABLE. (© DIVERSION © JOIN W/OTHER MATTERS © CROWN INPUT REQUIRED C) DATE SCHEDULED © OTHER AD: 2D Labs _ courtroom: CY _ametrson occrv HEARING TE. ical Di her Ni 17 Perernpt wy on crown/detence/accused Geecrion INTERPRETER: = LANGUAGE INE IN PERSON pea angunee) a GROWN agp’ Wesho et- parte eqerdINe Geer pare +heSDealed |7T. 0's ‘Drosrencto ‘Ssunaaany isrosmion SoveRsion: Decismn On Seating order ‘Gsenrence/oeO5K ¢ hsowvoce seven: L ‘Cuore erat Hea ‘REMOTE APPEARANCE BY: WITNESS/CROWN/DEFENCE/IUDGE sa eee Court location: Eomeron Sparse Voor onese | Sout Bat: Want, Day 13,2002 Sineustooy: ccwreenson | Swoteote ourroom 357 peers Judge: SR. Creagh ———— ‘REUSED BECTON ene Tayioo : SRE O00 Seow Son | Granny Om Caivaione Seer Re Frou: er Sijcowornenmartens | Prsmmay reine by o Sarrenoance waiveo nes Today Only | — gan oN PUBLICATION Scuuwv ‘COUNSEL; | Sesignation of Counsel FILED (NOT GUILTY AGENT/DC /NCS "2 Disclosure provided | Qsecrion spo} ABUSED OF: re | Swamai 70 oto7 neTEOCONTIUE EEA a ee ‘Sitnetoonseo ene sso rare wrest aa mesore cummeo | Setmmoneeremr ‘BAL DETANS: REMAND: © FOR SHOW CAUSE (BAIL) JUDGES ORDER LOGTENTION: ORDERED OETAINED CPRIMARY SECONDARY COTERTIARY RELEASES: "RELEASE ORDER (2) CASH / PROMISE / VALUABLE SECURITY S, ©.CONOMONS ATTACHED 5 NO CONDITIONS ‘SURETY UNNAMED/ SURETY NAME(S}: ee SURETY DECLARATION: CIATTACHED (DISPENSED WITH AY COURT __\-1CROWN CONSENS summons: | ROTREGUESTED BY: COURT (> CROWN © DEFENCE CIACCUSED © DUTY COUNSEL ©) AGENT (=NCS (1 3Y CONSENT REASONS: 2 CONSULT WITH CLIENT/COUNSEL/CROWNY = OBTAIN COUNSEL © DISCLOSURE C) EARLY CAS: RESOLUTION (© WITWESS/ INTERPRETER UNAVAILABILITY ©) LACK OF TIME C} NO REASON GIVEN SACCUSEL UNAVAILABLE (6) DIVERSION <1 JOIN W/OTHER MATTERS <2 CROWN NYPUT REQUIRED C) DATE SCHEDULED () OTHER | aps: @ ‘COURTROOM: ‘Com penson 3 cctv | seanine TPE: i ings/Other Notations © Peremptoiy on cown/defence/accused ‘eaecnon INTERPRETER: C> LANGUAGE LINE) PERSOW Fm mnaner (QUE G TNH CLPPRULC)— ————— ser oave Dro sreaKTo suman oseosiTion SoiveRsion: _ ‘OstaTeNce/Oz0S0N ‘Gnuoce so/oq LLAJUDICIA REFERRAL HEARING REMOTE APPEARANCE BY: WITNESS/CROWM/OEFENCE/JUDGE Provincial Adult Criminal Endorsement Sheet Revised: Marcli 6, 2020Identifier Number 2021-1731768CA1 Form 5.004 Form 5.009 Canada Provincial Court of Alberta Criminal Division Judicial District of Edmonton In the matter of an Application for: A General Production Order Pursuant to Section 487.014(2) of the Criminal Code; And ANon-Disclosure Order Pursuant to Section 487.0191(2) of the Criminal Code And An Order Denying Access Pursuant to Section 487.3 of the Criminal Code. INFORMATION ON OATH 1, Constable Christopher Augstman, a peace officer and a member of the Royal Canadian Mounted Police, affirm and say as follows: 1. Ihave reasonable grounds to believe that the following offences have been committed, namely: a. Unauthorized Use of a Computer contrary to Section 342.1 of the Criminal Code 2. Ihave reasonable grounds to believe that the following data is in the possession or control of Telus Communications Inc. (Telus) and will afford evidence respecting the commission of the named offences; Page 1 0f9 Classification: Protected AIdentifier Number 2021-1731768CA1 a. Subscriber information for IP address [MI 77.60 between September 19!, 2021 and September 21%, 2021 3. [have reasonable grounds to believe that the following data is in the possession or control of Alberta Health and will afford evidence respecting the commission of the named offences; a. Identity and contact data including name, date of birth, phone number, address, email address and emergency contact for Personal Health Number (PHN) [EE and a 4, Telus and Alberta Health are not under investigation for the named offence. Introduction 5. | have been a member of the RCMP for the last 12 years. Currently | am in the K Division (Alberta) Cybercrime Investigation Team, located in Edmonton. Prior to this Iwas in the Red Deer RCMP Cyber/Financial Crime Unit. | have completed the Canadian Police College Cybercrime Investigations Course. 6. All addresses are in the City of Edmonton in the Province of Alberta unless otherwise stated. Ove 7. In September of 2021, the province of Alberta launched a website allowing individuals to download their COVID19 vaccine records. Upon the website going live, its was flooded with abnormal traffic. These requests came through the TOR Network, which is a system designed to provide anonymity to a user, hiding their true IP address by using a relay system. During this time there were 3.5 million requests using the date of birth of Premier Jason Kenney, and a further 1 million requests using the date of birth of Thomas Dang, a MLA from the NDP. This flood of traffic resulted in regular users from being unable to access the site to download their own records. While most of the suspicious requests came from TOR IP addresses, there were over 100 attempts by IP address [NIN.77.60 that appear to Page 2 of 9 assification: Protected AIdentifier Number 2021-1731768CA1 be automated scripts. The same Personal Health Number queried by 75.155.77.60 was also searched by several TOR nodes. 8. The purpose of this application is to obtain subscriber information from Telus that will teveal who leases one of the IP addresses believed to have been used in this attack, as well as identify the individuals whose PHN were submitted. 9. | have relied on the information from the following law enforcement personnel, who are all police officers of the RCMP unless otherwise stated; a. Corporal Lucky Ho (Cpl. Ho) is currently assigned to K Division CyberCrime Investigation Team. Grounds for belief 10.On November 19", 2021 Martin Dinel (Dinel), the Chief Information Security Officer for the Province of Alberta provided me with a report. From reading this report | learned the following: a In September of 2021, the Government of Alberta launched a website for Albertans to download their proof of COVID19 vaccination; Between September 19", 2021 and September 21*, 2021 the website received 3.5 million requests using the same date of birth, later determined to be the date of birth of the Honorable Jason Kenney; A further 1 million requests were received using a date of birth later determined to be the same as Thomas Dang, MLA with the Alberta NDP; d. These request came through exit nodes on the TOR Network; e. Telus is the third party service provider contracted to run this website. Zlassification: Protected A Telus's own internal investigation identified several IP addresses that match the abnormal traffic from the TOR Network but used non-TOR IP addresses; There were 104 blocked attempts and 3 valid attempts by IP address HI 60, which is owned by Telus. Page 3 of 9Identifier Number 2021-1731768CA1 investigator Comments {The TOR Network is a computer network that operates over the internet. Its purpose is to allow people to utilize the internet anonymously. It does this by relaying your internet traffic through a randomized network of nodes across the world. The website you visit does not see your IP address, it only see's the IP address of the exit node. The country in which your exit node is located is picked at random, and changes frequently. It does not reflect what country you are actually located in. A user in Canada could have an exit node located in Canada, Germany, the United States or anywhere in the world. The written report provided by Dinel has a discrepancy on the dates of birth submitted in the abnormal traffic. In the written portions of the report its has a date of birth one day different then what is in the graphs/charts within the reports. This is the same for both sets of abnormal data] 411.On November 19", 2021 | did an open source search on IP address [.77.60. From this search | leamed the following: a. IP address [MI.77.60 is owned by Telus. 12.On November 19", 2021 | received an email from Julie Roszmann with Telus Court Order Liaison team. From reading this email | learned the following: a. Records related to IP address [JJIIIJ.77.60 will not purge until December 18", 2021. 13, On November 22, 2021 | received an email from Dinel, From reading this email | learned the following: a. The COVID19 vaccination records site required the date of birth, Alberta Health Care number and month of one of the vaccine doses; b. The abnormal requests appeared to be an attempt to “guess the required information to access the vaccination of records of individuals; Page dof 9 assification: Protected AIdentifier Number 2021-1731768CA1 c. There is no evidence that any personal information was actually obtained through this attack. Investigator Comments [This type of attack is commonly referred to as a brute force attack. in a brute force attack, the attacker simply tries every possible combination until they find the right one. This often means millions of tries and would require some sort of automated process or program to run this many attempts. In this case, 4.5 million attempts in 3 days, means approximately 17 attempts per second.} 14.On November 23", 2021 | spoke with Cpl. Ho and reviewed a log file made by him. From this | leamed the following: a. Cpl. Ho took the log files provided by the Province of Alberta regarding the traffic to the COVID19 website, and copied relevant portions of the logs to a second spreadsheet; b. When Cpl. Ho reviewed the data there were multiple variations of PHN's and vaccine dates run by IP address IN77.60 c. From reviewing this data | saw that IP address [IMJ.77.60 had made multiple queries of similar data at the exact same time. This activity is consistent with an automated soript rather than human interaction; d. That IP address had obtained COVID19 records for PHN A on September 19", 2021; e. Several TOR exit nodes also obtained data for that same PHN on September 19", 2021; f. IP address [IMJ.77.60 submitted one request and received results for ot Investigator Comments [The original logs provided by the Province of Alberta contained millions of lines, covering all traffic to the COVID19 website for the month of September. Cpl. Ho parsed this data to highlight the unusual traffic that was previously identified. Page of 9 ‘lassification: Protected AIdentifier Number 2021-1731768CA1 | believe that the person using IP address [I-77.60 ran an automated script on the COVID19 website, possibly as a test. They then also ran the same data through TOR nodes. This would be consistent with someone testing a script for use in an attack. This is not normal user behavior.) Conclusion 16.1 have reasonable grounds to believe that the named offence has been committed. | base my belief on the following as set out in this Information to Obtain: a. The Alberta Government COVID19 records website (a computer system) received approximately 4.5 million abnormal requests; b. These requests attempted to brute force the personal information of two different people, believe to possibly be Premiere Kenney and Thomas Lang, to obtain records stored on the computer system; c. An automated process was used to request the information of PHN [i [EBB and successfully gained records. Some of these requests were done through TOR nodes. 16.1 have reasonable grounds to believe that the data sought is in the possession or control of Telus. | base my belief on the following, as previously set out in this Information to Obtain: a. Queries show that the IP address [JJNIIN-77.60 is owned by Telus; b. Telus has confirmed they currently hold records related to this IP address. 17.1 have reasonable grounds to believe that the data sought is in the possession or control of Alberta Health. | base my belief on the following, as previously set out in this Information to Obtain a. According to the logs, data was obtained from the Alberta Health COVID19 website for both PHNs. Page 6 of 9 lassification: Protected AIdentifier Number 2021-1731768CA1 48.| have reasonable grounds to believe that the data will afford evidence of the named offences. | base my belief on the following, as previously set out in this Information to Obtain: a. This will show the physical address and subscriber of the IP address used to send abnormal requests to the GOVID19 vaccine records website; b. This will show the identities of the individuals whose information was obtained through the COVID19 vaccine site, allowing police to identify potential suspects or victims. 19.1 therefore request that Telus and Alberta Health be ordered to produce the said documents or data to Cst. Chris Augstman, a peace officer, at 11140 — 109 Street NW, Alberta, or delegate, as soon as reasonably possible but in any event no later than December 24", 2021. Terms and Conditions ~ Production Order 20.1 propose that the Production Order be subject to the following terms and conditions; a. Any data required to be produced shall be produced in electronic form recorded on machine readable electronic storage media, or in an otherwise accessible and usable form; b. Any copies of printed documents required to be produced shall be certified by affidavit to be true copies; c. Telus and Alberta Health may produce any document or data by electronic transmission to the electronic mail address chris.augstman@remp- grc.gc.ca provided that all necessary certificates are duly completed and transmitted by the same or other means prior to the expiry of the term of this order and that the electronic mail transmission be encrypted or password protected; Page 7 of 9 Classification: Protected AIdentifier Number 2021-1731768CA1 d. Nothing in this application shall be so construed as to require the production of any data of documents which are subject to solicitor client privilege; e. Telus and Alberta Health has the right to apply to revoke or vary this, order; 1. If Telus or Alberta Health contravenes this order without lawful excuse, they may be subject to a fine, to imprisonment or both. Application for Non-Disclosure Oi 21.1 have reasonable grounds to believe that the disclosure of the existence of any of the contents of the Production Order made under Section 487.014(2) of the Criminal Code would jeopardize the on-going investigation. The suspects have yet to be identified, but are most likely unaware that police are investigating this matter, and that their IP address or PHN may have been obtained. If the owner of the IP address or PHN were to be notified of this Production Order they may change their behaviours or destroy evidence. Therefore, | am requesting an order prohibiting Telus and Alberta Health and any employee, servant or agent of Telus and Alberta Health from disclosing the existence of any of the contents of the order during the period of one year after the day on which this order is made. Application for a Sealing Order 22. Due to the nature and circumstances of this investigation, | believe that the ends of justice would be subverted by the premature disclosure or public access of any information relating to the Production Order for the reasons listed above. This ‘outweighs in importance the access to the information Page 8 0f9 assification: Protected AIdentifier Number 2021-1731768CA1 23. Further, | request that an Order be granted prohibiting access to this Information to Obtain and materials related to this application be held at the Edmonton Gourt Registry located at 1A Sir Winston Churchill Square, Edmonton Law Courts Building, Edmonton until a court of competent jurisdiction orders otherwise. | certify that Cst. Christopher Augstman satisfied me that he was a person entitled to affirm. Affirmed before me on this 24! of November, 2021 at Edmonton, Alberta. Augstman,Chris 29sec topher ‘ohn 000185625 Dates2001 26074127 John, 000185625 reo ‘A Commissioner for Oaths in and for the Constable Christopher Augstman Province of Alberta RCMP no expiry Page 90f 9 lassification: Protected AIdentifier Number 2021-1731768CA2 Form 1 Canada Provincial Court of Alberta Criminal Division Judicial District of Edmonton In the matter of an Application for: ‘A Warrant to Search Pursuant to Section 487 of the Criminal Code; And An Assistance Order, Pursuant to Section 487.02 of the Criminal Code And An Order Denying Access Pursuant to Section 487.3 of the Criminal Code INFORMATION ON OATH 1. I, Constable Christopher Augstman, a peace officer and a member of the Royal Canadian Mounted Police. | affirm and say as follows: 2. [have reasonable grounds to believe that the following offences have been committed, namely: a. Unauthorized Use of a Computer contrary to Section 342.1 of the Criminal Code. 3. The following things (the things) will afford evidence in respect of the named offence; a. Computers including but not limited to desktop computers, laptops, tablets, cellphones; Electronic storage media such as hard drives and USB storage devices; Routers, modems and other computer networking equipment; Passwords and user account information; Information and/or data contained within the computers, or available to or pao capable of being accessed via the computers through cloud or server based access. Page 2 of 19 ‘Jassification: Protected AIdentifier Number 2021-1731768CA2 4. The things are stored in the following location: a. SE &dmonton, Alberta, the residence of Thomas Dang and Kristy Chan. Introductior 5. [have been a member of the RCMP for the last 12 years. Currently | am in the K Division (Alberta) Cybercrime Investigation Team, located in Edmonton. Prior to this | was in the Red Deer RCMP Cyber/Financial Crime Unit. | have participated in over 40 investigations involving the use of open source intelligence gathering or various cyber crimes, both where the computer was the target and where the computer is a tool for committing the offence. This includes; ransomware investigations against critical infrastructure as well as small businesses, unauthorized access to a computer, cryptocurrency thefts, online harassment and phishing campaigns. 6. | have completed a number of law enforcement and civilian training courses. This includes the Canadian Police College Cybercrime Investigations Course, the National Cyber-Forensics and Training Alliance Deep/Dark Web Investigation Course and Cryptocurrency Investigation Course, Humber College's CyberCrime Certificate, and Mohawk College's Hacker Techniques, Tools and Incident Handiing. | have also completed the RCMP training for on-line undercover operations and have made a successful purchase of materials from the dark web. 7. Alladdresses are in the City of Edmonton in the Province of Alberta unless otherwise stated Previous Applications 8. On November 26", 2021, Judge Creagh authorized a Production Order for Telus and Alberta Health. Page 2 of 19 assification: Protected AIdentifier Number 2021-1731768CA2 Over 9. In September of 2021, Alberta Health launched a website allowing individuals to download their COVID19 vaccine records. Upon the website going live, it was flooded with abnormal traffic. Many of these requests came through the TOR Network, which is a system designed to provide anonymity to a user, hiding their true IP address by using a relay system. During this time there were 1.75 million requests using the date of birth of Premier Jason Kenney, and a further approximately 50,000 requests using the date of birth of Thomas Dang, a MLA with the NDP. While most of the suspicious requests came from TOR IP addresses, there were approximately 100 attempts by IP address NINN 77.60 that appear to be automated. The same Personal Health Number queried by [IINBNN77.60 was also searched by several TOR nodes shortly after. According to Production Order results from Telus, IPEE-77.60 belongs to Dang. 10. The purpose of this application is to obtain a search warrant for Dang's residence to seize computer equipment. These devices will provide evidence of who performed attacks on the COVID vaccine record portal. 11. have relied on the information from the following law enforcement personnel, who are all police officers of the RCMP unless otherwise stated: a. Corporal Lucky Ho (Cpl. Ho) is currently assigned to K Division CyberCrime Investigation Team in Edmonton; b. Corporal Jamie Thorsen (Cpl. Thorsen) is currently assigned to K Division Digital Forensic Services (DFS) in Edmonton. The DFS unit is responsible for the forensic examination of computers and other digital devices for the RCMP; ¢. Criminal intelligence Analyst Chris Mowbray (CIA Mowbray) is a civi criminal analyst with the RCMP in Edmonton; Page 3 of 19 lassification: Protected AIdentifier Number 2021-1731768CA2 d. Civilian Member Clint Felkar (CM Felkar) is a civilian investigator currently assigned to K Division CyberCrime Investigation Team in Edmonton. CM Felkar does not have peace-officer status. 12. The following individuals or agencies are referenced in this document. This is brief description of their role in this investigation: a. Martin Dinel (Dinel) is the Chief Information Security Officer for Service Alberta. Service Alberta, and the sub-department Cybersecurity Services is responsible for cyber security for the Province of Alberta; b. Gurjot Singh (Singh) is a cybersecurity analyst with Cybersecurity Services; c. Telus Communications Inc. through their sub-department Telus Health operates the COVID19 vaccination record portal on behalf of the Province of Alberta. Telus is also the Internet Service Provider for Thomas Dang These two roles are separate for the purpose of this investigation; d. Alberta Health is the government ministry that contracts Telus Health to operate the COVID19 vaccination record portal. Alberta Health utilizes Service Alberta to investigate cybersecurity matters. Grounds for belief Personal Knowledg: 13. From my own training, knowledge and experience | know the following: a, IP addresses are unique numerical identifiers used by computers to talk to each other over a network. Blocks of these addresses are owned by Internet Service Providers such as Telus, Bell, Rogers, and then individual IP addresses are temporarily leased to individual customers. These leases could be for hours, days or months at a time. IP addresses could be described as the computer version of telephone numbers; Page @of19 lassification: Protected A‘lassification: Protected A Identifier Number 2021-1731768CA2 The TOR Network is a computer network that operates over the internet. Its purpose is to allow people to utilize the internet anonymously, It does this by relaying your internet traffic through a randomized network of computers, called nodes across the world. The website you visit does not see your IP address, it only see's the IP address of the exit node, which is the last node your internet traffic passes through before going to the website. The country in which your exit node is located is picked at random, and changes frequently. It does not reflect what country you are actually located in. A user in Canada could have an exit node located in Canada, Germany, the United States or anywhere in the world. While it is most commonly known for being used to access the dark web, TOR can be used on the regular internet as well; The IP addresses of exit nodes are publically listed. Various tools used to check IP addresses can cross-reference these IP addresses with those of known TOR exit nodes; A Virtual Private Network (VPN) is another tool used to anonymize internet traffic by routing it through a different end-point; Asscript is a type of computer code that can be utilized to execute commands on a computer, including the automation of functions, such as inputting information into websites. Scripts can be relatively easy to write, requiring only a basic level of understanding of computer coding; A brute force attack is when the attacker simply tries every possible combination until they find the right one. Usually these are conducted to find the password or similar credential to gain access to something. This often means millions of tries and would require some sort of automated process or program to run this many attempts. People will often store passwords or other login information on their cellphone, pieces of paper or in notebooks in order to keep track of them; Data as well as operating systems for computers can be stored on external storage mediums such as USB drives. A computer can be Page Sof 19identifier Number 2021-1731768CA2 configured to load software or operating systems from these external devices; OSCP in terms on computing often refers to Offensive Security Certified Professional. Individuals who have an OSCP certification have developed skill in penetration testing. This certification requires individuals to be able to “hack” into multiple computer systems; “Infosec in terms of computing is Information Security. This includes topics such as penetration testing; Penetration Testing is in laymans terms, hacking into a computer system. This can be done with the permission of the target's owner to test for vulnerabilities. However these same skills can be utilized without the owner's permission for various reasons such as to obtain data that one is not authorized to obtain, Penetration testing uses specialized computer applications and Operating Systems; Twitter is a publically accessible social media platform. Individuals, companies and organizations often use it to get messages out to the public. Accounts belonging to public figures or companies can become "verified" in which Twitter confirms that the account is owned by the entity that it claims to be. A post on Twitter is referred to as a Tweet; Location data and calendar data can be used to help determine attribution for a cyber attack. Province of Alberta Information 44.On November 19", 2021 Martin Dinel (Dinel), the Chief Information Security Officer for the Province of Alberta provided me with a report. The following is a summary of the relevant portions of this report: a assification: Protected A In September of 2021, Alberta Health launched a website for Albertans to download their proof of COVID19 vaccination; Between September 19", 2021 and September 21%, 2021 the website received 3.5 million requests for the date of birth May 30", 1968, which Page 6 of 19Identifier Number 2021-1731768CA2 the report states is the date of birth of the Honorable Premier of Alberta Jason Kenney; c. Afurther 1 million requests were received using a date of birth April 7", 1995, later determined to be the same as Thomas Dang, an MLA with the Alberta NDP; d, These request came through exit nodes on the TOR Network; e. Telus is the third party service provider contracted to run this website. Telus's own internal investigation identified several IP addresses that match the abnormal traffic from the TOR Network but used non-TOR IP addresses; f. There were 104 blocked attempts and 3 valid attempts by IP address HE 77.60, which is owned by Telus. Investigator Comments {U clarified with Singh on December 7", 2021 that there were 2.25 million unique requests, along with 2.25 million responses from the website, not 4.5 million requests This timeline will be further clarified by CIA Mowbray in paragraph 28. On December 13", 2021 Singh also clarified that it was 0.1 million requests using the date of birth April 7", 1995, not 1 million. The written report provided by Dinel has a discrepancy on the dates of birth submitted in the abnormal traffic. In the written portions of the report it has a date of birth one day different then what is in the graphs/charts within the reports. This is the same for both sets of abnormal data. The actual logs provided to investigators confirm the date of birth requested as being May 30", 1968 and April 7", 1997, the dates of birth of Premier Kenney and Dang respectively. The written portion has the correct date of birth; the graphs are off by one day. Singh, who originally wrote the report clarified this is the result of the software used to create the graft.) Page 7 of 19 Jassification: Protected AIdentifier Number 2021-1731768CA2 15.On November 22", 2021 | received an email from Dinel. The following is a summary of the relevant portions of this email: a. The COVID19 vaccination records site required the date of birth, Alberta PHN number and month of one of the vaccine doses in order to access the vaccination records of an individual; b. The abnormal requests appeared to be an attempt to “guess” the required information to access the vaccination of records of individuals; cc. There is no evidence that any personal information was actually obtained through this attack. Investigator Comments [Abnormal was the term used by Dinel and the report to describe any traffic that was imegular. This could include use of TOR, multiple requests from one IP of unrelated records. This type of attack is commonly referred to as a brute force attack. Subsequent analysis by CM Felkar determined that personal information of two individuals was most likely obtained through this attack.} 46.On December 7", 2021 | received an email from Singh and followed up with a phone: call, The following is a summary of the relevant portions of the email and phone call; a. Singh was clarifying some points in the report he wrote; b. The figure of 4.5 million is both requests by the attacker, and responses from the website; c. The date in the graphs are off by a day in his report due to the way the software interprets the time and date when making the graph. Investigator Comments [This is in reference to the report provided by Dinel to me on November 19", 2021 Every request sent by a user generates a response from the website. This matches what investigators have seen in reviewing the logs provided by Singh.] Page 8 of 19 assification: Protected AIdentifier Number 2021-1731768CA2 17.On December 13", 2021 | received an email from Singh. The following is a summary of the relevant portions of the email: a. Theres a typo in his report, it should state 0.1 million and not 1 million hits. Investigator Comments [This is in reference to the report provided by Dinel to me on November 19", 2021. This matches what investigators have seen in reviewing the logs provided by Singh] Police Investigative Steps 18.On November 19%, 2021 | searched IP address NINMJ.77.60 on the websites whatismyipaddress.com and centralops.net. The following is a summary of the relevant portions of this search: a. These websites use publically available information to determine which Internet Service Providers own specific IP address. It does not provide the subscriber data of residential subscribers; b. IP address [NINN 77.60 is owned by Telus. 19.On November 23, 2021 | spoke with Cpl. Ho and reviewed a log file made by him. The following is a summary of the relevant portions of this conversation: a. Cpl. Ho took the log files provided by Singh from Alberta Cybersecurity Services regarding the traffic to the COVID19 website, and copied relevant portions of the logs to a second spreadsheet; b. The logs provided by Alberta Cybersecurity Services contained millions of lines, covering all traffic to the COVID19 website for the month of September. Cpl. Ho parsed this data to highlight the unusual traffic that was previously identified; c. When Cpl. Ho reviewed the second spreadsheet there were multiple variations of Personal Health Numbers (PHN) and vaccine dates run by IP address NN 77.60. Page 9 0f 19 ‘lassification: Protected AIdentifier Number 2021-1731768CA2 20.0n November 23%, 2021 | reviewed the second spreadsheet created by Cpl. Ho. The following is a summary of the relevant portions of this spreadsheet: a. From reviewing this data on the second spreadsheet created by Cpl. Ho ! saw that IP address [IJ.77.60 had made multiple queries of similar data at the exact same time. This activity is consistent with an automated script rather than human interaction; b. That IP address had obtained COVID19 records for a particular PHN (PHN “A’) on September 19", 202 ©. Several TOR exit nodes also obtained data for PHN “A" on September 19", 2021; d. IP address [J .77.60 submitted one request and received results for a second particular PHN (PHN °B”). Investigator Comments [I have referred to these PHN's as “A” and "B" to remove personal information from this ITO. | believe that the person using IP address [IIIJ-77.60 ran an automated script on the COVID19 website, possibly as a test. They then also ran the same data through TOR nodes. This would be consistent with someone testing a script for use in an attack. This is not normal user behavior.} 21.On December 1*, 2021 | received an email from Debbie Czerski (Czerski), an employee of Telus in their Security Department. The following is a summary of the relevant portions of this email: a, Czerski was providing the results of the Production Order | obtained, authorized by Judge Creagh on November 26%, 2021 for subscriber information related to IP address I.77.60; b. IP address [ININEI77 60 was leased only to Thomas Dang at i) [ERE €cronton, Aiberta between September 19", 2021 and September 21%, 2021 Page 10 of 19 assification: Protected AIdentifier Number 2021-1731768CA2 22.On December 2", 2021 | read an affidavit from Tracey Chalmers (Chalmers), an employee of the Alberta Ministry of Health. The following is a summary of the relevant portions of this affidavit: a. Chalmers was providing the results of the Production Order | obtained, authorized by Judge Creagh on November 26", 2021 for the identity and contact information for Alberta PHN “A” and “B”; b. Alberta PHN “A” belongs to Thomas Dang; Alberta PHN “B” belongs to Kristy Chan; c. d. Both Dang and Chan have listed their address as i Edmonton on their Alberta Health account. 23.On December 2", 2021 | viewed the verified Twitter page of Dang. The following is, a summary of the relevant portions of this Twitter page: a, Dang describes himself as an “Infosec enthusiast. OSCP.” 24.On December 3", 2021, members of the RCMP conducted surveillance for this investigation. The following is a summary of the relevant portions of this surveillance report: a. Dang was observed coming and going from rs Edmonton. 25.On December 7", 2021, | read the can-say report of Cpl. Thoreson. The following is a summary of the relevant portions of this can-say: a. A search for evidence from computers and other devices capable of storing data commonly require them to be brought to a controlled environment for an examiner to conduct their analy: b. Remotely stored data, also known as “cloud storage" is data not stored on the device, but accessible to the device as if it was stored locally. If the connection to the remotely stored data is severed, it may not be possible to access that data without the under name and password; c. Many devices contain volatile data and must be searched on scene. If the power is interrupted to these devices the data may be lost permanently. Page 11 of 19 2lassification: Protected AIdentifier Number 2021-1731768CA2 Desktop computers and routers are examples of devices that have volatile memory; 4, In order to obtain evidence, the forensic examiner will make an exact copy, also known as an image of all of the data on a device, then analyze a copy of this exact image for data listed in the judicial authorization; e. A full copy of this can say is attached as Exhibit “A”. 26.On December 9", 2021 | spoke with CM Felkar. The following is a summary of the relevant portions of this conversation: a. CM Felkar took the original logs provided by Singh and parsed out the queries for date of birth May 30", 1968 into a separate file. CM Felkar then searched this second log file for any queries that returned records and used the month of vaccination as April; b. Three results were provided on September 23%, 2021 for the date of birth May 30", 1968 with the month of vaccination dose as April, c. Two of these results were incremental, matching the pattern of the scripted queries; d. CM Felkar performed a WHOIS search on the IP addresses used for these two queries. Both of them were for TOR exit nodes located in Germany. Investigator Comments [Based on the findings of CM Felkar | believe that whomever ran the scripted attack with date of birth May 30", 1968 accessed the records of at least two individual's COVID19 vaccine records ] 27.On December 13", 2021 | read a Tweet written by Dang's verified account on ‘Twitter, provided to me by CIA Mowbray; The following is a summary of the relevant portions of that post. a. In areply to someone else's Tweet, Dang’s account replied with "I did a whole OSCP using RDP into Kali on an old laptop from my desktop.”; Page 12 of 19 lassification: Protected AIdentifier Number 2021-1731768CA2 b. This Tweet was sent using Twitter for Android; c. This Tweet was posted on September 24'", 2021. Investigator Comments [RDP in this context means Remote Desktop Protocol, which is a method to remotely connect to and control a computer. Kali is a specialized Operating System used for penetration testing, In layman's terms, Dang’s Twitter account is saying that they did a practice hack using special software on their desktop computer to access remotely their own old laptop. This is something individuals who are interested in penetration would do as a method of practicing their skills. From this post | believe that Dang likely has at the very least an Android cellphone, an old laptop running Kali as an operating system and a desktop computer. Based on this post, he likely uses the desktop computer for conducting his penetration testing work, but also has specialized hacking tools on the other laptop.] 28.On December 14th, 2021, members of the RCMP conducted surveillance for this. investigation, The following is a summary of the relevant portions of this surveillance report: a. Dang was seen coming and going from the residence; b. A vehicle registered to Chan was seen pulling into the garage. Dang was already in the house at the time. The driver of this vehicle was not identified by surveillance. Investigator Comments [| believe that Kristy Chan was likely the driver of the vehicle in sub-paragraph b.] 29.On December 17%, 2021, CIA Mowbray analyzed log files parsed by CM Felkar, from the log files provided by Singh. The following is a summary of the relevant portions of this report: Page 13 of 19 ‘Jassification: Protected AIdentifier Number 2021-1731768CA2 There were 119 queries to the COVID19 portal from IP address 75.155.77.60 for date of birth April 7", 1995, most of which were for PHN “A on September 19", 2021 between 11:00 am and 12:00 pm. The last query in this spike of queries was at 12:03 pm; Starting 39 seconds later at 12:04 pm PHN “A” requested was multiple times in quick succession using the TOR network; Over 49,000 queries for the date of birth April 7", 1995 were made on September 19", 2021, with the majority of them between 8:00 pm and 10:00 pm using the TOR network; Starting around midnight on September 20", 2021 hundreds of thousands of queries are made on the TOR network for date of birth May 30", 1968. In total between September 19", 2021 and September 23°, 2021 there are approximately 1.78 million queries made for this date of birth. During this time, the number of queries for PHN "A" and the date of birth April 7", 1995 are negligible; The PHN's queried are somewhat sequential; Mowbray identified gaps in his analysis, including that he only reviewed the log files provided by investigators, which are for PHN ‘A’, IP address HHI? 60, and the dates of birth April 7, 1995 and May 30", 1968, not the entire log files provided by Singh. Only parsed data was provided to CIA Mowbray due to the size of the log files. Software and computer limitations hindered him from reviewing all the data. Investigator Comments {The number of hits according to Singh's analysis and CIA Mowbray's analysis differ because Singh counted both the request made to the site, and the response from the site, while CIA Mowbray only included requests made to the site in his analysis. Having a number of requests in a short period of time that exceeds the ability of a normal user to make manually, along with the sequential changing of information in the requests gives me reason to believe that this is a scripted brute force attack] lassification: Protected A Page 14 0f 19Identifier Number 2021-1731768CA2 Conclusion 30.| have reasonable grounds to believe that the named offence has been committed. 1 base my belief on the following as set out in this Information to Obtain: a. The Alberta Government COVID19 records website (a computer system) received approximately 1.8 million abnormal requests; b. These requests attempted to brute force the personal information of two different people, believe to possibly be Premier Kenney and Thomas Dang, to obtain records stored on the computer system; c. Two of the queries performed by the brute force attack produced the COVID19 vaccine records of individuals. 31.) have reasonable grounds to believe that the things sought are located at the place to be searched. | base my belief on the following, as previously set out in this Information to Obtain: a. IP addres 77.60 is registered at Edmonton, Alberta; b. A computer would have been required to run an automated script against the COVID19 vaccine record website; c. Dang's verified Twitter account has stated that he has multiple computers, including at least one with specialized tools on it for conducting penetration testing; d. Networking equipment is required to access the internet from the address provided by Telus. 32.1 have reasonable grounds to believe that the things will afford evidence of the named offences. | base my belief on the following, as previously set out in this Information to Obtain: a. Computers — A computer would be required to run the script or program that was used in the offence. Page 15 of 19 ‘lassification: Protected AIdentifier Number 2021-1731768CA2 Electronic storage media — Data, operating systems or applications that were used to run the script on the website can be stored on external storage devices; Routers, modems and other computer networking equipment — These devices can histories of devices connected to the internet through that device. This will show if a computer or device not belonging to Dang was used to connect to the network at the time of the offence; Passwords and User accounts ~ Data on computers can be encrypted, requiring a password to unlock the data and make it readable; Cloud or Server based data — Data relating to the use of scripts can be stored on cloud based storage, similarly to how it can be stored on an external hard drive. 33.1 am aware that Thomas Dang is a silting member of the Official Opposition in the Alberta Legislature. As such some documents and correspondence that he may possess could be subject to parliamentary privilege. Every effort will be made to ensure that this privilege is respected. As laid out in the terms and conditions, OFS will act as the gate keeper between the information and the investigative team. 34.1 therefore request that a warrant be issued to authorize between the hours of 6:00 am and 9:00 pm on December 21", 2021, to enter into fii Edmonton, Alberta and search for the said things and to bring them before a Justice. Terms and Con 35.1 am requesting the warrant be subject to the following terms and conditions: a. Examination of the things shall be for the following data: lassification: Protected A Passwords, user credentials and other account login information; Calendar information for September 18", 2021 to September 30", 2021; User accounts; Page 16 of 19‘Jassification: Protected A Identifier Number 2021-1731768CA2 iv. Device Identification Numbers; v. Network connection information; Location data for September 18", 2021 to September 30", 2021; vii, Browser history; viii, COVID19 vaccine records; ix, TOR and VPN information; x. Software capable of creating scripts to be used to make abnormal requests to a website, scripts, and documentation relating to such programs and scripts; xi, Software and operating systems used for computer security or penetration testing; xii, Log files; xiii, List of al The things may be relocated to any forensic facility for the purpose of conducting or completing the authorized search; ‘stalled programs and operating systems. The examinations and analysis will be completed by a qualified digital forensic examiner with the RCMP Digital Forensics Services, or another qualified technician designated by a police service in Canada; Post-seizure examinations of the things and analysis of the documents and data from within the things may be done at any time during or after the execution of the warrant. DFS will maintain the full images, providing investigators with only the documents and data specified in this or another judicial authorization; Ifit is reasonably believed that a document or data is subject to parliamentary privilege, the person conducting the examination and analysis shall cease any further examination and analysis of that specific document and/or data. In this situation, the examination and analysis of the computer may continue within the parameters of the terms and conditions of the requested warrant, but reasonable steps must be taken to ensure that the documents and/or data containing parliamentary Page 17 of 19Identifier Number 2021-1731768CA2 pri without further authorization by this Court. lege cannot be further shared, reproduced, or viewed by any person Assistance Order 36.Clint Felkar is a civilian criminal investigator employed by the RCMP for his expertise in cyber crime. Felkar does not current have peace officer status, but provides technical knowledge that enhances the ability of the investigative team. He has intimate knowledge of this investigation, especial of the log data provided by Singh. Felkar will assist in conducting the search of the residence for the things, as well as providing specialized technological knowledge in support of any interviews with occupants conducted at the scene. 37. Keith Wall (Wall) is a civilian who is a trained digital forensic examiner employed by Edmonton Police Service (EPS) Tech Crime Unit, but does not presently have peace officer designation. The Tech Crime Unit fills the same function for EPS as DFS. does for the RCMP. Wall will assist the other digital forensic examiners in seizing and examining computers found at the residence. 38.Pursuant to Section 487.02 of the Criminal Code, | am requesting that the following be ordered a. Clint Felkar and Keith Wall are expressly authorized to attend at the execution of the warrant and provide assistance as necessary; b. Keith Wallis also authorized to assist in the post-seizure examination of the devices seized. 39. Due to the nature and circumstances of this investigation, | believe that the ends of justice would be subverted by the premature disclosure or public access of any information relating to the Search Warrant for the following reason. if the person Page 18 of 19 lassification: Protected AIdentifier Number 2021-1731768CA2 responsible were to discover they are under investigation prior to the execution of this search warrant, they may destroy evidence on their computers. This outweighs in importance the access to the information. Our intention is to have this warrant unsealed after the execution of the warrant. If circumstances prevent the execution of this warrant a new sealing order will be sought to ensure the warrant remains sealed until such time it can be disclosed without jeopardizing the investigation. 40.1 request that an Order be granted prohibiting access to this Information to Obtain and materials related to this application be held at the Edmonton Court Registry located at 1A Sir Winston Churchill Square, Edmonton Law Courts Building, Edmonton until December 24", 2021. | certify that Cst. Christopher Augstman satisfied me that he was a person entitled to affirm. Affirmed before me on this 20" of December, 2021 at Edmonton, Alberta. Noseworthy.Reld Necwontynsé scott tet ttm fees wads Augstman,Christop ozs gustrugimacineais ‘ate 20211220 075018 her John,000185625 Bee ei i0er31 arr Wallace,000216708 9s. ‘A Commissioner for Oaths in and for the Constable Christopher Augstman Province of Alberta RCMP no expiry Page 19 of 19 ‘lassification: Protected AIdentifier Number 2021-1731768CA3 Form 5.004 Form 5.009 Canada Provincia! Court of Alberta Criminal Division Judicial District of Edmonton In the matter of an Application for: A General Production Order Pursuant to Section 487.014(2) of the Criminal Code; And A Non-Disclosure Order Pursuant to Section 487.0191 (2) of the Criminal Code And An Order Denying Access Pursuant to Section 487.3 of the Criminal Code. INFORMATION ON OATH 1. |, Constable Christopher Augstman, a peace officer and a member of the Royal Canadian Mounted Police, affirm and say as follows: 2. [have reasonable grounds to believe that the following offences have been committed, namely: a, Unauthorized Use of a Computer contrary to Section 342.1 of the Criminal Code 3. | have reasonable grounds to believe that the following data is in the possession or control of Alberta Health and will afford evidence respecting the commission of the named offences, b. Identity and contact data including name, date of birth, phone number, address, email address for Personal Health Number (PHN) [i (PHN C). 4. Alberta Health is not under investigation for the named offence. Page 1 0f 17 lassification: Protected AIdentifier Number 2021-1731768CA3 introduction 5. | have been a member of the RCMP for the last 12 years. Currently | am in the K Division (Alberta) Cybercrime Investigation Team, located in Edmonton. Prior to this | was in the Red Deer RCMP Cyber/Financial Crime Unit. | have participated in over 40 investigations involving the use of open source intelligence gathering or various cyber crimes, both where the computer was the target and where the computer is a tool for committing the offence. This includes; ransomware investigations against critical infrastructure as well as small businesses, unauthorized access to a computer, cryptocurrency thefts, online harassment and phishing campaigns. 6. | have completed a number of law enforcement and civilian training courses. This includes the Canadian Police College Cybercrime Investigations Course, the National Cyber-Forensics and Training Alliance Deep/Dark Web Investigation Course and Cryptocurrency Investigation Course, Humber College's CyberCrime Certificate, and Mohawk College’s Hacker Techniques, Tools and Incident Handling. | have also completed the RCMP training for on-line undercover operations and have made a successful purchase of materials from the dark web. 7. All addresses are in the City of Edmonton in the Province of Alberta unless otherwise stated. Previous Applications 8. On November 26", 2021, Judge Creagh authorized a Production Order for Telus and Alberta Health 9. On December 20", 2021, Judge Creagh authorized a Search Warrant for the residence of Thomas Dang and Kristy Chan. Page 2 of 17 lassification: Protected AIdentifier Number 2021-1731768CA3 Overview 10.In September of 2021, Alberta Health launched a website allowing individuals to download their COVID19 vaccine records. Upon the website going live, it was flooded with abnormal traffic. Many of these requests came through the TOR Network, which is a system designed to provide anonymity to a user, hiding their true IP address by using a relay system. During this time there were 1.75 million requests using the date of birth of Premier Jason Kenney, and a further approximately 50,000 requests using the date of birth of Thomas Dang, a MLA with the NDP. While most of the suspicious requests came from TOR IP addresses, there were approximately 100 attempts by IP address [INNNN77.80 that appear to be automated. The same Personal Health Number queried by 75.155.77.60 was also searched by several TOR nodes shortly after. Further, the logs show that at least one PHN (PHN C) may have been accessed through this brute force attack. PHN C. was queried three times on September 23, once by the scripted attack, then again twenty-seven minutes later and finally approximately two hours later. After the second query the scripted attack stopped. After the third query an email was sent from the Alberta NDP Director of Communications to the Alberta Ministry of Health Director of Communications informing him of a security vulnerability to the COVID19 vaccine portal. A search warrant was executed on the residence of Thomas Dang and a number of computers were seized from his residence. 14. The purpose of this application is to obtain a production order for Alberta Health to provide records related to PHN C. This will provide evidence of individual's private data being accessed without proper authorization 412.1 have relied on the information from the following law enforcement personnel, who are all police officers of the RCMP unless otherwise stated: a. Corporal Lucky Ho (Cpl. Ho) is currently assigned to K Division b. Criminal intelligence Analyst Chris Mowbray (CIA Mowbray) is a civilian criminal analyst with the RCMP in Edmonton; Page 3 of 17 lassification: Protected A.Identifier Number 2021-1731768CA3 ¢. Civilian Member Clint Felkar (CM Felkar) is a civilian investigator currently assigned to K Division CyberCrime Investigation Team in Edmonton. 13. The following individuals or agencies are referenced in this document. This is brief description of their role in this investigation: a. Martin Dinel (Dinel) is the Chief Information Security Officer for Service Alberta. Service Alberta, and the sub-department Cybersecurity Services is responsible for cyber security for the Province of Alberta; b. Gurjot Singh (Singh) is a cybersecurity analyst with Cybersecurity Services; ©. Telus Communications Inc. through their sub-department Telus Health operates the COVID19 vaccination record portal on behalf of the Province of Alberta. Telus is also the Internet Service Provider for Thomas Dang. These two roles are separate for the purpose of this investigation; d. Alberta Health is the government ministry that contracts Telus Health to operate the COVID19 vaccination record portal. Alberta Health utilizes Service Alberta to investigate cybersecurity matters. Personal Knowledge 14. From my own training, knowledge and experience | know the following: a. IP addresses are unique numerical identifiers used by computers to talk to each other over a network. Blocks of these addresses are owned by Internet Service Providers such as Telus, Bell, Rogers, and then individual IP addresses are temporarily leased to individual customers. These leases could be for hours, days or months at a time. IP addresses could be described as the computer version of telephone numbers; b. The TOR Network is a computer network that operates over the internet. Its purpose is to allow people to utilize the internet anonymously. It does Page 4 of 17 assification: Protected A“Jassification: Protected A Identifier Number 2021-1731768CA3 this by relaying your internet traffic through a randomized network of computers, called nodes across the world. The website you visit does not see your IP address, it only see's the IP address of the exit node, which is the last node your internet traffic passes through before going to the website. The country in which your exit node is located is picked at random, and changes frequently. It does not reflect what country you are actually located in, A user in Canada could have an exit node located in Canada, Germany, the United States or anywhere in the world. While it is most commonly known for being used to access the dark web, TOR can be used on the regular internet as well; The IP addresses of exit nodes are publically listed. Various tools used to check IP addresses can cross-reference these IP addresses with those of known TOR exit nodes; A script is a type of computer code that can be utilized to execute ‘commands on a computer, including the automation of functions, such as inputting information into websites, Scripts can be relatively easy to write, requiring only a basic level of understanding of computer coding; A brute force attack is when the attacker simply tries every possible combination until they find the right one. Usually these are conducted to find the password or similar credential to gain access to something. This often means millions of tries and would require some sort of automated process or program to run this many attempts. OSCP in terms on computing often refers to Offensive Seourity Certified Professional. Individuals who have an OSCP certification have developed skill in penetration testing. This certification requires individuals to be able to “hack” into multiple computer systems; “Infosec” in terms of computing is Information Security. This includes topics such as penetration testing; Penetration Testing is in laymans terms, hacking into a computer system. This can be done with the permission of the target's owner to test for vulnerabilities. However these same skills can be utilized without the Page 5 of 17Identifier Number 2021-1731768CA3 ‘owner's permission for various reasons such as to obtain data that one is not authorized to obtain. Penetration testing uses specialized computer applications and Operating Systems; ‘Twitter is a publically accessible social media platform. Individuals, companies and organizations often use it to get messages out to the public. Accounts belonging to public figures or companies can become “verified” in which Twitter confirms that the account is owned by the entity that it claims to be. A post on Twitter is referred to as a Tweet. Province of Alberta Information 15.On November 19", 2021 Martin Dinel (Dinel), the Chief Information Security Officer for the Province of Alberta provided me with a report. The following is a summary of the relevant portions of this report: a In September of 2021, Alberta Health launched a website for Albertans to download their proof of COVID19 vaccination; Between September 19"", 2021 and September 21*, 2021 the website received 3.5 million requests for the date of birth May 30", 1968, which the report states is the date of birth of the Honorable Premier of Alberta Jason Kenney; A further 1 million requests were received using a date of birth April 7", 1996, later determined to be the same as Thomas Dang, an MLA with the Alberta NDP; These request came through exit nodes on the TOR Network; @. Telus is the third party service provider contracted to run this website. lassification: Protected A Telus's own internal investigation identified several IP addresses that ‘match the abnormal traffic from the TOR Network but used non-TOR IP addresses; There were 104 blocked attempts and 3 valid attempts by IP address a”. 60, which is owned by Telus. Page 6 of 17Identifier Number 2021-1731768CA3 Investigator Comments [I clarified with Singh on December 7", 2021 that there were 2.25 million unique requests, along with 2.25 million responses from the website, not 4.5 million requests. This timeline will be further clarified by CIA Mowbray in paragraph 28. On December 13", 2021 Singh also clarified that it was 0.1 million requests using the date of birth April 7, 1995, not 1 million. The written report provided by Dinel has a discrepancy on the dates of birth submitted in the abnormal traffic. In the written portions of the report it has a date of birth one day different then what is in the graphs/charts within the reports. This is the same for both sets of abnormal data. The actual logs provided to investigators confirm the date of birth requested as being May 30'", 1968 and April 7, 1997, the dates of birth of Premier Kenney and Dang respectively. The written portion has the correct date of birth; the graphs are off by one day. Singh, who originally wrote the report clarified this is the result of the software used to create the graft.) 16. On November 224, 2021 I received an email from Dinel. The following is a summary of the relevant portions of this email: a, The COVID19 vaccination records site required the date of birth, Alberta PHN number and month of one of the vaccine doses in order to access the vaccination records of an individual; b. The abnormal requests appeared to be an attempt to "guess" the required information to access the vaccination of records of individuals; c. There is no evidence that any personal information was actually obtained through this attack. Investigator Comments [Abnormal was the term used by Dinel and the report to describe any traffic that was. irregular. This could include use of TOR, multiple requests from one IP of unrelated records. This type of attack is commonly referred to as a brute force attack, Page 7 of 17 lassification: Protected AIdentifier Number 2021-1731768CA3_ ‘Subsequent analysis by CM Felkar determined that personal information of two individuals was most likely obtained through this attack.] 17.On December 7", 2021 | received an email from Singh and followed up with a phone call. The following is a summary of the relevant portions of the email and phone call; a. Singh was clarifying some points in the report he wrote; b. The figure of 4.5 million is both requests by the attacker, and responses from the website; c. The date in the graphs are off by a day in his report due to the way the software interprets the time and date when making the graph. Investigator Comments [This is in reference to the report provided by Dinel to me on November 19", 2021 Every request sent by a user generates a response from the website. This matches what investigators have seen in reviewing the logs provided by Singh.] 18.On December 13", 2021 | received an email from Singh. The following is a summary of the relevant portions of the email: a. There is a typo in his report, it should state 0.1 million and not 1 million hits. Investigator Comments [This is in reference to the report provided by Dinel to me on November 19", 2021. This matches what investigators have seen in reviewing the logs provided by Singh] Police Investigative Steps 19.0n November 19", 2021 I searched IP addresq{M-77.60 on the websites whatismyipaddress.com and centralops.net. The following is a summary of the relevant portions of this search: Page 8 of 17 lassification: Protected AIdentifier Number 2021-1731768CA3, a, These websites use publically available information to determine which Internet Service Providers own specific IP address. It does not provide the subscriber data of residential subscribers; b. IP address [II.77.60 is owned by Telus, 20.On November 23", 2021 | spoke with Cpl. Ho and reviewed a log file made by him. The following is a summary of the relevant portions of this conversation: a. Cpl. Ho took the log files provided by Singh from Alberta Cybersecurity Services regarding the traffic to the COVID19 website, and copied relevant portions of the logs to a second spreadsheet; b. The logs provided by Alberta Cybersecurity Services contained millions of lines, covering all traffic to the COVID19 website for the month of ‘September. Cpl. Ho parsed this data to highlight the unusual traffic that was previously identified; c. When Cpl, Ho reviewed the second spreadsheet there were multiple variations of Personal Health Numbers (PHN) and vaccine dates run by IP address 77.60. 21.On November 23", 2021 I reviewed the second spreadsheet created by Cpl. Ho. The following is a summary of the relevant portions of this spreadsheet: a. From reviewing this data on the second spreadsheet created by Cpl. Ho | saw that IP address [IIINII77.60 had made multiple queries of similar data at the exact same time, This activity is consistent with an automated script rather than human interaction; b. That IP address had obtained COVID19 records for a particular PHN (PHN “A’) on September 19", 2021; c. Several TOR exit nodes also obtained data for PHN “A” on September 19", 2021; d. IP address [IIII.77.60 submitted one request and received results for a second particular PHN (PHN "B") Page 9 of 17 lassification: Protected AIdentifier Number 2021-1734768CA3_ Investigator Comments {1 have referred to these PHN's as “A” and “B" to remove personal information from this ITO. | believe that the person using IP address [MBINNN77.60 ran an automated script on the COVID19 website, possibly as a test. They then also ran the same data through TOR nodes. This would be consistent with someone testing a script for use in an attack. This is not normal user behavior.| 22, On December 1*, 2021 I received an email from Debbie Czerski (Czerski), an employee of Telus in their Security Department. The following is a summary of the relevant portions of this email: a. Czerski was providing the results of the Production Order I obtained, authorized by Judge Creagh on November 26", 2021 for subscriber information related to IP address 77.60; b. IP address 75.155.77.60 was leased only to Thomas Dang between September 19", 2021 and September 21%, 2021 23.On December 2", 2021 | read an affidavit from Tracey Chalmers (Chalmers), an employee of the Alberta Ministry of Health. The following is a summary of the relevant portions of this affidavit: a. Chalmers was providing the results of the Production Order | obtained, authorized by Judge Creagh on November 26", 2021 for the identity and contact information for Alberta PHN “A” and “B"; b. Alberta PHN "A" belongs to Thomas Dang; . Alberta PHN "B" belongs to Kristy Chan. 24.On December 2", 2021 | viewed the verified Twitter page of Dang. The following is a summary of the relevant portions of this Twitter page: a. Dang describes himself as an “Infosec enthusiast. OSCP." Page 10 0f17 assification: Protected AIdentifier Number 2021-1731768CA3 25.On December 9", 2021 | spoke with CM Felkar. The following is a summary of the relevant portions of this conversation: a. CM Felkar took the original logs provided by Singh and parsed out the queries for date of birth May 30", 1968 into a separate file. CM Felkar then searched this second log file for any queries that returned records and used the month of vaccination as April; b. Three results were provided on September 23", 2021 for the date of birth May 30", 1968 with the month of vaccination dose as April; c. Two of these results were incremental, matching the pattern of the scripted queries; d. CM Felkar performed a WHOIS search on the IP addresses used for these two queries. Both of them were for TOR exit nodes located in Germany and conducted approximately 27 minutes apart. Investigator Comments [Based on the findings of CM Felkar | believe that whomever ran the scripted attack with date of birth May 30", 1968 accessed the records of at least one individual's COVID19 vaccine records. In my previous application | stated that two individual's records were accessed. After reviewing the results from CM Felkar again, it is one individual PHN accessed twice from two different TOR nodes. There were multiple attempts by the script to obtain this particular PHN but only once was the script successful. The second request may have been a manual request for the information ] 28.On December 17", 2021, CIA Mowbray analyzed log files parsed by CM Felker, from the log files provided by Singh. The following is a summary of the relevant portions of this report: a. There were 119 queries to the COVID19 portal from IP address [7.60 for date of birth April 7, 1995, most of which were for PHN Page 11 of 17 {assification: Protected AIdentifier Number 2021-1731768CA3 “A’ on September 19'", 2021 between 11:00 am and 12:00 pm. The last query in this spike of queries was at 12:03 pm; Starting 39 seconds later at 12:04 pm PHN "A" requested was multiple times in quick succession using the TOR network; Over 49,000 queries for the date of birth April 7, 1995 were made on September 19", 2021, with the majority of them between 8:00 pm and 10:00 pm using the TOR network; Starting around midnight on September 20", 2021 hundreds of thousands of queries are made on the TOR network for date of birth May 30", 1968, In total between September 19", 2021 and September 23%, 2021 there are approximately 1.78 million queries made for this date of birth. During this time, the number of queries for PHN “A” and the date of birth April 7", 1995 are negligible; The PHN's queried are somewhat sequential; Mowbray identified gaps in his analysis, including that he only reviewed the log files provided by investigators, which are for PHN “A’, IP address [E.77.50, and the dates of birth April 7%, 1995 and May 30", 1988, not the entire log files provided by Singh. Only parsed data was provided to CIA Mowbray due to the size of the log files. Software and computer limitations hindered him from reviewing all the data. Investigator Comments [The number of hits according to Singh’s analysis and CIA Mowbray's analysis differ because Singh counted both the request made to the site, and the response from the site, while CIA Mowbray only included requests made to the site in his analysis. Having a number of requests in a short period of time that exceeds the ability of a normal user to make manually, along with the sequential changing of information in the requests gives me reason to believe that this is a scripted brute force attack,} lassification: Protected A Page 120°17Identifier Number 2021-1731768CA3_ 27.On January 10", 2022 | reviewed a spreadsheet created by CM Felkar based upon the logs provided by Singh. The following is a summary of the relevant portions of this report: a. On September 23%, 2021 at 7:21 am, the scripted attack on the COVID records portal requested PHN {EEE (PHN C) and obtained a copy of the COVID vaccination records for that individual, using the TOR network. There were several failed attempts from multiple TOR nodes over several seconds prior to the record being produced; b. At 7:48 am, another request for PHN C was made to the COVID records portal using the TOR network. This also produced a copy of the vaccination records for PHN C; c. At9:42 am PHN C's records are obtained again using the TOR network; d. Atno other time in the logs provided by Singh was PHN C querried. Investigator Comments The failed attempts described in sub-paragraph a were likely a result of IP's being banned by the server. Based on the timing of these requests | believe this successful request was part of the scripted attack. The second one, 27 minutes later is likely a manual verification of the scripts results performed by the individual running the attack The third time the record is obtained is again believed to be a manual request. As. detailed in the following paragraph the attack stopped at 7:50 am on September 23", 2021.1 28.On January 10", 2021 | reviewed the logs provided by Singh. The following is a summary of the relevant portions of this log: a. The scripted attack on the COVID vaccination record portal stopped at 7:50 am on September 23", 2021; b. PHN C was searched one additional time at 9:42 am on September 23%, 2021 Page 13 of 17 Jassification: Protected AIdentifier Number 2021-1731768CA3 Investigator Comments [The scripted attack stops one minute after the first manual entry of PHN C. Eight minutes after PHN C is run manually on the TOR network for a second time, an email is sent from the Alberta NDP Director of Communications to the Minister of Health's Press Secretary, as described in the following paragraph.] 29.0n January 10", 2022 | read an email from Benjamin Alldritt (Alldritt) to Steve Buick (Buick). The following is a summary of the relevant portions of this email: a. Alldrit is the Alberta NOP Caucus Director of Communications; b. On September 23°, 2021 at 9:50 am Alldritt sent the following email to Buick (this is the full email verbatim): Hi Steve, Thanks for speaking with me just now. As | said, a party reached out fo us today and claimed that they had succeeded in finding Albertans’ personal health numbers from the new vaccine passport website, This is their description of the issue: “The page uses an inadequate form of security to prevent scraping. The restriction on IP+PHN (5 attempts) must be protected additionally by @ CAPTCHA to prevent the leaking of PHN and vaccination dates/personal health information.” It's possible that this is a prank, but their tone seems genuinely concemed. Hopefully the dept can look into this ASAP. Investigator Comments [The description of the issue is consistent with a description of the scripted attack that was run on the COVID vaccination portal and is described throughout this document. This email was sent approximately 2 hours after the attack was successful in obtaining vaccination records for PHN C, and eight minutes after PHN C's records were queried one last time. Page 14 of 17 assification: Protected AIdentifier Number 2021-1731768CA3 Conclusion 30.1 have reasonable grounds to believe that the named offence has been committed. | base my belief on the following as set out in this Information to Obtain: a. The Alberta Government COVID19 records website (a computer system) received approximately 1.8 million abnormal requests; b. These requests attempted to brute force the personal information of two different people, believe to possibly be Premier Kenney and Thomas Dang, to obtain records stored on the computer system; c. One of the PHN's queried through the brute force attack produced the COVID19 vaccine records of individuals. This same PHN was accessed twice more in the following two hours over the TOR network. 31.1 have reasonable grounds to believe that the data sought is in the possession or control of Alberta Health. | base my belief on the following, as previously set out in this Information to Obtain: c. According to the logs, data was obtained from the Alberta Health COVID19 website for PHN C. 32.1 have reasonable grounds to believe that the data will afford evidence of the named offences. | base my belief on the following, as previously set out in this Information. to Obtain: a. This will show the identities of the individual whose information was obtained through the COVID19 vaccine site, allowing police to identify potential suspects or victims. 33.1 therefore request that Alberta Health be ordered to produce the said documents or data to Cst. Chris Augstman, a peace officer, at 11140 - 109 Street NW, Alberta, or delegate, as soon as reasonably possible but in any event no later than February 11", 2022. Page 15 of 17 ‘lassification: Protected AIdentifier Number 2021-1731768CA3 Terms and Conditions ~ Production Order 34.1 propose that the Production Order be subject to the following terms and conditions: Any data required to be produced shall be produced in electronic form recorded on machine readable electronic storage media, or in an otherwise accessible and usable form; Any copies of printed documents required to be produced shall be certified by affidavit to be true copies; Alberta Health may produce any document or data by electronic transmission to the electronic mail address chris.augstman@remp- grc.gc.ca provided that all necessary certificates are duly completed and transmitted by the same or other means prior to the expiry of the term of this order and that the electronic mail transmission be encrypted or password protected; Nothing in this application shall be so construed as to require the production of any data of documents which are subject to solicitor client privilege; Alberta Health has the right to apply to revoke or vary this order; If Alberta Health contravenes this order without lawful excuse, they may be subject to a fine, to imprisonment or both. Application for a Sealing Order 35. Due to the nature and circumstances of this investigation, | believe that the ends of justice would be subverted by the premature disclosure or public access of any information relating to the Production Order for the following reason. This Information on Oath contains the PHN one individual. This is highly personal information and would need to be vetted out prior to being released. This outweighs in importance the access to the information. lassification: Protected A Page 16 of 17Identifier Number 2021-1731768CA3 Application for Non-Disclosure Order 36.1 have reasonable grounds to believe that the disclosure of the existence of any of the contents of the Production Order made under Section 487.014(2) of the Criminal Code would jeopardize the on-going investigation. The involvement of the owner of this PHN has yet to be determined. If the owner of the PHN were to be notified of this Production Order they may change their behaviours or destroy evidence. Therefore, | am requesting an order prohibiting Alberta Health and any employee, servant or agent of Alberta Health from disclosing the existence of any of the contents of the order during the period of one year after the day on which this order is made. 37.1 request that an Order be granted prohibiting access to this Information to Obtain and materials related to this application be held at the Edmonton Court Registry located at 1A Sir Winston Churchill Square, Edmonton Law Courts Building, Edmonton until further a court of competent jurisdiction orders otherwise. | certify that Cst. Christopher Augstman satisfied me that he was a person entitled to affirm. Affirmed before me on this 14" of January, 2022 at Edmonton, Alberta. out Augstman,Christ S2ttsamsty Nguyenkim Steams opher Samos Dang,000100066 ‘rae John,000185625 tag ‘A.Commissioner for Oaths in and forthe Constable Christopher Augstman Province of Alberta RCMP no expiry Page 17 of 17 Zlassification: Protected AIdentifier Number 2021-1731768CA4 Canada Provincial Court of Alberta Criminal Division Judicial District of Edmonton In the matter of an Application for: A Preservation Order Pursuant to Section 487.013(2) of the Criminal Code And An Order Denying Access Pursuant to Section 487.3 of the Criminal Code. INFORMATION ON OATH 1. I, Constable Christopher Augstman, a peace officer and a member of the Royal Canadian Mounted Police, affirm and say as follows: 2. | have reasonable grounds to suspect that the following offences have been committed, namely: a. Unauthorized Use of a Computer contrary to Section 342.1 of the Criminal Code. 3. Ihave reasonable grounds to suspect that the following computer data is in the possession or control of Benjamin Alldritt and will assist in the investigation of the named offence: a. Emails, WhatsApp messages and other electronic communications, sent or received on September 23", 2021 regarding the COVID19 Vaccine record portal security. 4, Benjamin Alldritt is not under investigation for the named offence. Page 1 of 19 lassification: Protected AIdentifier Number 2021-1731768CA4 Introduction 5. Ihave been a member of the RCMP for the last 12 years. Currently | am in the K Division (Alberta) Cybercrime Investigation Team, located in Edmonton. Prior to this Iwas in the Red Deer RCMP Cyber/Financial Crime Unit. | have participated in over 40 investigations involving the use of open source intelligence gathering or various cyber crimes, both where the computer was the target and where the computer is a tool for committing the offence. This includes; ransomware investigations against critical infrastructure as well as small businesses, unauthorized access to a computer, cryptocurrency thefts, online harassment and phishing campaigns. 6. Ihave completed a number of law enforcement and civilian training courses. This includes the Canadian Police College Cybercrime Investigations Course, the National Cyber-Forensics and Training Alliance Deep/Dark Web Investigation Course and Cryptocurrency Investigation Course, Humber College's CyberCrime Certificate, and Mohawk College's Hacker Techniques, Tools and Incident Handling. Ihave also completed the RCMP training for on-line undercover operations and have made a successful purchase of materials from the dark web. 7. All addresses are in the City of Edmonton in the Province of Alberta unless otherwise stated. Previous Applications 8. On November 26", 2021, Judge Creagh authorized a Production Order for Telus and Alberta Health. 9. On December 20", 2021, Judge Creagh authorized a Search Warrant for the residence of Thomas Dang and Kristy Chan. Page 2 0f 19 assification: Protected Aidentifier Number 2021-1731768CA4 10.On January 19", 2022, Judge Creagh authorized a Production Order for Alberta Health. fer 11. In September of 2021, Alberta Health launched a website allowing individuals to download their COVID19 vaccine records. Upon the website going live, it was flooded with abnormal traffic. Many of these requests came through the TOR Network, which is a system designed to provide anonymity to a user, hiding their true IP address by using a relay system. During this time there were 1.75 million requests using the date of birth of Premier Jason Kenney, and a further approximately 50,000 requests using the date of birth of Thomas Dang, a MLA with the NDP. While most of the suspicious requests came from TOR IP addresses, there were approximately 100 attempts by IP address [IM.77.60 that appear to be automated. The same Personal Health Number queried by IIBIN77.60 was also searched by several TOR nodes shortly after. Further, the logs show that at least ‘one PHN (PHN C) may have been accessed through this brute force attack. PHN C was queried three times on September 23%, once by the scripted attack, then again twenty-seven minutes later and finally approximately two hours later. After the second query the scripted attack stopped. After the third query an email was sent from Benjamin Alldritt, the Alberta NDP Director of Communications to the Alberta Ministry of Health Director of Communications informing him of a security vulnerability to the COVID19 vaccine portal. A search warrant was executed on the residence of Thomas Dang and a number of computers were seized from his residence. During a non-custodial warned caution statement, Dang admitted that he tested the system and successfully downloaded someone's record. He stated it was his obligation as an MLA and a cybersecurity professional to check the site for potential flaws and report them to Alberta Health. 12. The purpose of this application is to obtain a production order for Benjamin Alldritt to provide records related to emails and WhatsApp messages about the security of the Page 3 of 19 ‘lassification: Protected AIdentifier Number 2021-1731768CA4 COVID19 portal on the day he reported it to Alberta Health. This will provide evidence of individual's private data being accessed without proper authorization. 13, The second application is in relation to a Search Warrant for several computers seized from Dang's residence during the execution of the search warrant. While the original authorized did provide for the forensic analysis of the devices, and implemented measures to protect Parliamentary Privilege, the Alberta Legislative ‘Assembly has retained outside council as they feel the initial provisions are not sufficient. This authorization is to implement a referee system for some of the devices seized. 14.1 have relied on the information from the following law enforcement personnel, who are all police officers of the RCMP unless otherwise stated: a 6 Corporal Lucky Ho (Cpl. Ho) is currently assigned to K Division Criminat Intelligence Analyst Chris Mowbray (CIA Mowbray) is a civilian criminal analyst with the RCMP in Edmonton; Constable Chris Massicotte (Cst. Massicotte) is a member of the K Division Interview Assistance Team in Edmonton, in addition to his regular duties; Civilian Member Clint Felkar (CM Felkar) is a civilian investigator currently assigned to K Division CyberCrime Investigation Team in Edmonton. 15. The following individuals or agencies are referenced in this document. This is brief description of their role in this investigation: a lassification: Protected A Martin Dinel (Dinel) is the Chief Information Security Officer for Service Alberta, Service Alberta, and the sub-department Cybersecurity Services is responsible for cyber security for the Province of Alberta; Gurjot Singh (Singh) is a cybersecurity analyst with Cybersecurity Services; Telus Communications Inc. through their sub-department Telus Health operates the COVID19 vaccination record portal on behalf of the Province Page 4 of 19Identifier Number 2021-1731768CA4 of Alberta. Telus is also the Internet Service Provider for Thomas Dang. These two roles are separate for the purpose of this investigation; d. Alberta Health is the government ministry that contracts Telus Health to operate the COVID19 vaccination record portal. Alberta Health utilizes Service Alberta to investigate cybersecurity matters; e. Benjamin Alldritt (Alldrit) is the Director of Communications for the Alberta NOP Party: f, Jeremy Nolais (Nolais) is the Chief of Staff for the Alberta NDP Party: 9. Maciek Nowacki (Nowacki) is a computer programmer who provided information to Dang. Nowacki is not associated to any organization related to this investigation. 16. Within this Information on Oath, | have relied on information from police computer based data systems which include: a. The Police Reporting and Occurrence System (PROS) is a computer data repository which contains information obtained by the RCMP and various enforcement agencies during the course of investigations, such as individuals’ names, dates of birth, addresses, telephone numbers, as well as file information. Grounds for belief Personal Knowledge 17. From my own training, knowledge and experience | know the following: a. IP addresses are unique numerical identifiers used by computers to talk to each other over a network. Blocks of these addresses are owned by Internet Service Providers such as Telus, Bell, Rogers, and then individual IP addresses are temporarily leased to individual customers. These leases Page Sof 19 ‘lassification: Protected Aassification: Protected A Identifier Number 2021-1731768CA4 could be for hours, days or months at a time. IP addresses could be described as the computer version of telephone numbers; The TOR Network is a computer network that operates over the internet. Its purpose is to allow people to utilize the internet anonymously. It does this by relaying your internet traffic through a randomized network of computers, called nodes across the world. The website you visit does not see your IP address, it only see’s the IP address of the exit node, which is the last node your internet traffic passes through before going to the website. The country in which your exit node is located is picked at random, and changes frequently. It does not reflect what country you are actually located in, A user in Canada could have an exit node located in Canada, Germany, the United States or anywhere in the world. While it is most commonly known for being used to access the dark web, TOR can be used on the regular internet as well; ‘The IP addresses of exit nodes are publically listed. Various tools used to check IP addresses can cross-reference these IP addresses with those of known TOR exit nodes; A script is a type of computer code that can be utilized to execute commands on a computer, including the automation of functions, such as inputting information into websites. Scripts can be relatively easy to write, requiring only a basic level of understanding of computer coding; A brute force attack is when the attacker simply tries every possible combination until they find the right one. Usually these are conducted to. find the password or similar credential to gain access to something. This often means mi process or program to run this many attempts. ‘WhatsApp is an instant messaging service owned by Meta Platforms s of tries and would require some sort of automated (formerly known as Facebook Inc.). This services allows members to contact each other, similar to text messaging. Data from the messages is often retained on a user's device; Page 6 of 19Identifier Number 2021-1731768CA4 g. RCMP K Division Digital Forensic Services is located at 18807 Stony Plain Road, Edmonton; h. RCMP Exhibit numbers are created by PROS. it is impossible for two. different exhibits to be given the same exhibit number. Province of Alberta Information 18.0n November 19", 2021 Martin Dinel (Dinel), the Chief Information Security Officer for the Province of Alberta provided me with a report. The following is a summary of the relevant portions of this report: a. In September of 2021, Alberta Health launched a website for Albertans to download their proof of COVID19 vaccination; b. Between September 19", 2021 and September 21*, 2021 the website received 3.5 million requests for the date of birth May 30", 1968, which the report states is the date of birth of the Honorable Premier of Alberta Jason Kenney; c. A further 1 million requests were received using a date of birth April 7, 1995, later determined to be the same as Thomas Dang, an MLA with the Alberta NDP; d. These request came through exit nodes on the TOR Network; e. Telus is the third party service provider contracted to run this website. Telus's own internal investigation identified several IP addresses that match the abnormal traffic from the TOR Network but used non-TOR IP addresses; f. There were 104 blocked attempts and 3 valid attempts by IP address HHMI .77.60, which is owned by Telus. Investigator Comments {I clarified with Singh on December 7", 2021 that there were 2.25 million unique requests, along with 2.25 million responses from the website, not 4.5 million requests. This timeline will be further clarified by C/A Mowbray in paragraph 28. Page 7 of 19 :lassification: Protected AIdentifier Number 2021-1731768CA4 On December 13", 2021 Singh also clarified that it was 0.1 million requests using the date of birth April 7", 1995, not 1 million. ‘The written report provided by Dinel has a discrepancy on the dates of birth submitted in the abnormal traffic. In the written portions of the report it has a date of birth one day different then what is in the graphs/charts within the reports. This is the same for both sets of abnormal data. The actual logs provided to investigators confirm the date of birth requested as being May 30", 1968 and April 7, 1997, the dates of birth of Premier Kenney and Dang respectively. The written portion has the correct date of birth; the graphs are off by one day. Singh, who originally wrote the report clarified this is the result of the software used to create the graft] 19. On November 22", 2021 | received an email from Dinel. The following is a summary of the relevant portions of this email: a. The COVID19 vaccination records site required the date of birth, Alberta PHN number and month of one of the vaccine doses in order to access the vaccination records of an individual; b. The abnormal requests appeared to be an attempt to “guess” the required information to access the vaccination of records of individuals; ¢. There is no evidence that any personal information was actually obtained through this attack. Investigator Comments [Abnormal was the term used by Dine! and the report to describe any traffic that was irregular. This could include use of TOR, multiple requests from one IP of unrelated records. This type of attack is commonly referred to as a brute force attack. ‘Subsequent analysis by CM Felkar determined that personal information of two individuals was most likely obtained through this attack.) 20.On December 7%, 2021 | received an email from Singh and followed up with a phone call. The following is a summary of the relevant portions of the email and phone call; a. Singh was clarifying some points in the report he wrote; Page 8 of 19 assification: Protected AIdentifier Number 2021-1731768CA4 b. The figure of 4.5 million is both requests by the attacker, and responses from the website; c. The date in the graphs are off by a day in his report due to the way the software interprets the time and date when making the graph. investigator Comments. [This is in reference to the report provided by Dinel to me on November 19", 2021. Every request sent by a user generates a response from the website. This matches what investigators have seen in reviewing the logs provided by Singh.] 21.0n December 13", 2021 | received an email from Singh. The following is a summary of the relevant portions of the email: a. There is a typo in his report, it should state 0.1 million and not 4 million hits Investigator Comments [This is in reference to the report provided by Dinel to me on November 19", 2021. This matches what investigators have seen in reviewing the logs provided by Singh.] Police Investigative Steps 22. On December 9'*, 2021 | spoke with CM Felkar. The following is a summary of the relevant portions of this conversation: a. CM Felkar took the original logs provided by Singh and parsed out the queries for date of birth May 30, 1968 into a separate file. CM Felkar then searched this second log file for any queries that returned records and used the month of vaccination as April; b. Three results were provided on September 23%, 2021 for the date of birth May 30", 1968 with the month of vaccination dose as April; Page 9 of 19 lassification: Protected AIdentifier Number 2021-1731768CA4 c. Two of these results were incremental, matching the pattern of the scripted queries; d. CM Felkar performed a WHOIS search on the IP addresses used for these two queries. Both of them were for TOR exit nodes located in Germany and conducted approximately 27 minutes apart. Investigator Comments [Based on the findings of CM Felkar | believe that whomever ran the scripted attack with date of birth May 30, 1968 accessed the records of at least one individual's COVID19 vaccine records. In my previous application | stated that two individual's records were accessed. After reviewing the results from CM Felkar again, it is one individual PHN accessed twice from two different TOR nodes. There were multiple attempts by the script to obtain this particular PHN but only once was the script successful. The second request may have been a manual request for the information} 23.0n December 17", 2021, CIA Mowbray analyzed log files parsed by CM Felkar, from the log files provided by Singh. The following is a summary of the relevant Portions of this report: a. There were 119 queries to the COVID19 portal from IP address. [BE 77.60 for date of birth April 7, 1995, most of which were for PHN “A” on September 19", 2021 between 11:00 am and 12:00 pm. The last query in this spike of queries was at 12:03 pm; b. Starting 39 seconds later at 12:04 pm PHN “A” requested was multiple times in quick succession using the TOR network; ©. Over 49,000 queries for the date of birth April 7", 1995 were made on September 19", 2021, with the majority of them between 8:00 pm and 10:00 pm using the TOR network; d. Starting around midnight on September 20", 2021 hundreds of thousands of queries are made on the TOR network for date of birth May 30", 1968. In total between September 19", 2021 and September 23%, 2021 there Page 10 of 19 lassification: Protected AIdentifier Number 2021-1731768CA4 are approximately 1.78 million queries made for this date of birth. During this time, the number of queries for PHN “A” and the date of birth April 7, 1995 are negligible; e. The PHN's queried are somewhat sequential; Mowbray identified gaps in his analysis, including that he only reviewed the log files provided by investigators, which are for PHN “A’, IP address [HII 77.60, ans the dates of birth April 7", 1995 and May 30%, 1968, not the entire log files provided by Singh. Only parsed data was provided to CIA Mowbray due to the size of the log files. Software and computer limitations hindered him from reviewing all the data. Investigator Comments [The number of hits according to Singh's analysis and CIA Mowbray's analysis differ because Singh counted both the request made to the site, and the response from the site, while CIA Mowbray only included requests made to the site in his analysis. Having a number of requests in a short period of time that exceeds the ability of a normal user to make manually, along with the sequential changing of information in the requests gives me reason to believe that this is a scripted brute force attack.) 24.On December 21%, 2021, police executed a search warrant afi [HBB A number of computers and electronic storage devices were seized. 25.On January 10", 2022 | reviewed a spreadsheet created by CM Felkar based upon the logs provided by Singh. The following is a summary of the relevant portions of this report: a. On September 23%, 2021 at 7:21 am, the scripted attack on the COVID records portal requested PHN C and obtained a copy of the COVID vaccination records for that individual, using the TOR network. There were several failed attempts from multiple TOR nodes over several seconds prior to the record being produced; Page 11 of 19 ‘lassification: Protected AIdentifier Number 2021-1731768CA4 b. At7:48 am, another request for PHN C was made to the COVID records portal using the TOR network. This also produced a copy of the vaccination records for PHN C: ©. At9:42 am PHN C's records are obtained again using the TOR network. Investigator Comments [The failed attempts described in sub-paragraph a were likely a result of IP's being banned by the server. Based on the timing of these requests | believe this successful request was part of the scripted attack. The second one, 27 minutes later is likely a manual verification of the scripts results performed by the individual running the attack. The third time the record is obtained is again believed to be a manual request. As detailed in the following paragraph the attack stopped at 7:50 am on September 23°, 2021. This is consistent with the actions Dang stated he took, except Dang stated this, occurred on September 20", 2021.) 26.On January 10", 2021 | reviewed the logs provided by Singh. The following is a summary of the relevant portions of this log: a. The scripted attack on the COVID vaccination record portal stopped at 7:50 am on September 23", 2021; b. PHN C was searched one additional time at 9:42 am on September 23°, 2021. Investigator Comments [The scripted attack stops one minute after the first manual entry of PHN C. Eight minutes after PHN C is run manually on the TOR network for a second time, an email is sent from Alldritt to the Minister of Health's Press Secretary Steve Buick (Buick), as described in the following paragraph.] 27.On January 10", 2022 | read an email from Allidritt to Buick. The following is a ‘summary of the relevant portions of this email: Page 12 of 19 lassification: Protected AIdentifier Number 2021-1731768CA4 a, On September 23", 2021 at 9:50 am Alldritt sent the following email to Buick (this is the full email verbatim): Hi Steve, Thanks for speaking with me just now. As | said, a party reached out to us today and claimed that they had succeeded in finding Albertans’ personal health numbers from the new vaccine passport website. This is their description of the issue: “The page uses an inadequate form of security to prevent scraping. The restriction on IP+PHN (5 attempts) must be protected additionally by a CAPTCHA to prevent the leaking of PHN and vaccination dates/personal health information.” It's possible that this is a prank, but their tone seems genuinely concemed. Hopefully the dept can look into this ASAP. Investigator Comments [The description of the issue is consistent with a description of the scripted attack that was run on the COVID vaccination portal and is described throughout this document. This email was sent approximately 2 hours after the attack was successful in obtaining vaccination records for PHN C, and eight minutes after PHN C's records were queried one last time.) 28.On January 18", 2022 Cst. Massicotte took a statement from Dang. The following is a summary of the relevant portions of this statement; a. Dang said he was told of a security vulnerability on Friday September 17", lassification: Protected A 2021 to the COVID19 vaccine records portal. Dang did not mention who told him in the statement; Dang felt he would not be able to reach someone at Alberta Health on a Friday afternoon to report this or gain permission to test it, but as an MLA with experience in cybersecurity it was his duty to ensure this system as secure; Page 13 of 19Identifier Number 2021-1731768CA4 c. On Sunday he began testing the site using a Python script to see if he could access records with an automated process guessing for someone's PHN. Dang admitted that he picked the date of birth of Premier Kenney to run the test; d. He ran the rest for 12 to 24 hours and obtained a record for someone, he is unsure who it was but stated it was a woman; e. First thing Monday morning he stopped the script after getting a hit and reported it to Alldritt and Nolais. Dang insisted that this be disclosed immediately to Alberta Health so the problem could be fixed; f. He told Alldritt the basics of the flaw so that Alberta Health could fix it. He did this through WhatsApp. Alldritt the told Steve Buick at Alberta Health; g. Dang stored everything from this test in a folder on his computer with the file path D:\projects\AbCOVIDscrape or something similarto that; h. Dang believes there is some material on his computers that would fall into the category of Parliamentary Privilege. Investigator Comments [After the interview, Dang's lawyer contacted me and provided the contact information for the individual who purportedly informed Dang of the vulnerability, Maciek Nowacki. There are inconsistencies between the timeline presented by Dang in this interview and the data provided by Alberta Health. The COVID19 portal went live to the public on September 19", 2021, which would have made it difficult but not impossible for someone to report the problem to him on September 17", 2021. Additionally, Dang stated he obtained a PDF record and stopped the script on Monday (September 20", 2021) and reported the issue then to Nolais and Alldritt. According to the log data the PDF was obtained and the script stopped on Thursday September 23°, 2021. The email from Alldritt to Buick was sent on September 23%, 2021 as well. Based on this | believe that Dang actually told Alldritt and Nolais on September 23%, 2021, not September 20", 2021 as Dang stated in his statement. Page 14 of 19 lassification: Protected Aidentifier Number 2021-1731768CA4 | believe the computer that Dang is referring to in subparagraph g is PEO21.] 29.On January 18", 2022 | sent Alldritt a Preservation Demand for the following: a, Emails related to the COVIDI9 vaccine passport website on September 23%, 2021 30.On January 19", 2022 Allldritt spoke to Cpl. Ho on the phone. The following is a summary of the relevant portions of this conversation: a. Alldritt said he is preserving emails related to the Preservation Demand | sent on January 18", 2022; b. Alldritt said he is in possession of WhatsApp messages related to this this issue and will preserve those as well. 31.On January 19, 2022 | received an email from Nolais. The following is a summary of the relevant portions of this email: a. Nolais does not believe he has any emails or other written ‘communications about this subject from September 23%, 2021. He was only involved in phone calls with Dang and Alldritt on this topic. 32.On January 31*, 2022 | received an email from Cst. Cook. The following is a summary of the relevant portions of this email: a, Exhibits 20211731768 PE004, PEO15, and PEO21 are all currently with DFS and were seized from Dang’s residence; b. PE004 is a laptop with Kali Linux installed as the operating system; ¢. PEO15 is a computer seized from the basement, itis believed this was acting a storage server for Dang; d. PE021 is a desktop computer found in the main office in the home and is believed to be Dang’s computer. Investigator Comments {I believe that PE021 is the computer Dang mentions in his statement as being the one he used for this attack and stored the data on.] Page 15 of 19 lassification: Protected AIdentifier Number 2021-1731768CA4 33.On February 1®, 2022 Cpl. Ho took a statement and received an email from Maciek Nowacki. The following is a summary of the relevant portions of this statement and email. Nowacki reached out through social media to Dang after Nowacki downloaded his own COVID19 records as he was concerned there could be a vulnerability to the web portal; Dang and Nowacki exchanged messages back and forth about theoretical ways the portal could be exploited. They agreed that the mass downloading of records was infeasible, but obtaining one individuals records could be possible; On September 23, 2022, Dang called Nowacki sometime before 8:30am and told him that he had proof of concept for this attack; Nowacki had no role in the actual exploitation of the COVID19 web portal, Nowacki had no prior knowledge of the site and downloaded his own record sometime between September 19", 2021 and September 21%, 2021 Investigator Comments {In Dang's statement, he claims he was contacted by Nowacki on September 17", 2021, two days prior to the COVID19 vaccine web portal actually being opened to the public. Nowacki stated he did not contact Dang until after he downloaded his own personal records sometime between September 19", 2021 and September 21%, 2021.] Conclusion 34.1 have reasonable grounds to believe that the named offence has been committed. | base my belief on the following as set out in this Information to Obtain: a lassification: Protected A The Alberta Government COVID19 records website (a computer system) received approximately 1.8 million abnormal requests; Page 16 of 19Identifier Number 2021-1731768CA4 b. These requests attempted to brute force the personal information of two different people, believe to possibly be Premier Kenney and Thomas Dang, to obtain records stored on the computer system; ©. One of the PHN's queried through the brute force attack produced the COVID19 vaccine records of individuals. This same PHN was accessed twice more in the following two hours over the TOR network. 36.| have reasonable grounds to believe that the data sought is in the possession or contro! of Alldrit. | base my belief on the following, as previously set out in this, Information to Obtain: a. Alberta Health provided a copy of an email sent to them on September 23, 2021 by Alldritt; b. Alldritt stated he is preserving emails and WhatsApp chats related to this topic. 36.| have reasonable grounds to believe that the data will afford evidence of the named offences. | base my belief on the following, as previously set out in this Information to Obtain: a. This data will show when Dang reached out to Alldritt and Nolais to inform them of the security issue, and what he told them of his involvement in this. 37.As Dang is a sitting Member of the Legislative Assembly, the Speaker of the Legislative Assembly has raised concerns regarding the potential for data subject to Parliamentary Privilege being on the computers, and in the communications between Dang and officials from the NDP Party. Due to this, my application for a Production Order for this data is delayed as an appropriate process is currently being drafted that all parties involved can agree to. | intend once this process is agreed upon that a Production Order will be sought with this process built into it. Page 17 of 19 “Jassification: Protected AIdentifier Number 2021-1731768CA4 38.1 therefore request that Benjamin Alldritt be ordered to preserve the specified computer data that is in their possession or control when they receive this order, until May 7", 2022 unless, before that date, the order is revoked or a document that contains the computer data is obtained under a warrant or an order. ‘Terms and Conditions ~ Production Order 39.1 propose that the Production Order be subject to the following terms and conditions: a. Alldritt has the right to apply to revoke or vary this order; b. If Alldritt contravenes this order without lawful excuse, he may be subject to a fine, to imprisonment or both; ©. Benjamin Alldritt is required to destroy the computer data that would not be retained in the ordinary course of business and any document that is prepared for the purpose of preserving computer data, in accordance with section 487.0194 of the Criminal Code. If Benjamin Alldritt contravenes that provision without lawful excuse, they may be subject to a fine, to imprisonment, or to both. Application for a Sealing Order 40. Due to the nature and circumstances of this investigation, | believe that the ends of justice would be subverted by the premature disclosure or public access of any information relating to the Production Order and Search Warrant for the following reason. The communications between Dang and Alldritt may reveal further witnesses to be interviewed. Outside of the investigative team, no one is aware that the PHN C was run a third time, as this was not brought up with Dang in his interview. This important piece of information acts as hold-back and can be used to help verify any further witness statements that are obtained. This outweighs in importance the access to the information. Page 18 of 19 lassification: Protected AIdentifier Number 2021-1731768CA4 41.1 request that an Order be granted prohibiting access to this Information to Obtain and materials related to this application be held at the Edmonton Court Registry located at 1A Sir Winston Churchill Square, Edmonton Law Courts Building, Edmonton unti further a court of competent jurisdiction orders otherwise. | certify that Cst. Christopher Augstman satisfied me that he was a person entitled to affirm. Affirmed before me on this 7 of February, 2022 at Edmonton, Alberta. Reid Distelysionedby Noseworthy, Nosewonthy eld Scott Scott \Watace000216708 Date 20220207 121237 Wallace,000216708 ‘reg ig. Otay ey Augstman,Chris -Seimntntaser topher ‘ofn,000185625 John,000185625 ‘req en” A Commissioner for Oaths in and for the Province of Alberta RCMP no expiry Constable Christopher Augstman Page 19 of 19 Glassification: Protected AIdentifier Number 2021-1731768CA5 Form 5.004 Form 1 Canada Provincial Court of Alberta Criminal Division Judicial District of Edmonton In the matter of an Application for: A General Production Order Pursuant to Section 487.014(2) of the Criminal Code; And A Warrant to Search Pursuant to Section 487 of the Criminal Code; And An Assistance Order Pursuant to Section 487.02 of the Criminal Code; And An Order Denying Access Pursuant to Section 487.3 of the C! inal Code. INFORMATION ON OATH 1. 1, Constable Christopher Augstman, a peace officer and a member of the Royal Canadian Mounted Police, affirm and say as follows: 2. | have reasonable grounds to believe that the following offences have been committed, namely: a. Unauthorized Use of a Computer contrary to Section 342.1 of the Criminal Code In relation to the Production Order 3. Ihave reasonable grounds to believe that the following data is in the possession or control of Benjamin Alldritt and will afford evidence respecting the commission of the named offences; Page 1 of 24 ‘lassification: Protected AIdentifier Number 2021-1731768CA5. a. Emails, WhatsApp messages and other electronic communications, sent or received on September 23", 2021 regarding the COVID19 Vaccine record portal security. 4, Benjamin Allldritt is not under investigation for the named offence. In relation to the Search Warrant 5. The following things (the things) will afford evidence in respect of the named offence; a. RCMP Exhibit numbers: 20211731768PE004, 20211731768PE015, and 20211731768PE021, and the data contained within. 6. The things are stored in the following location: a. RCMP Digital Forensic Services office ~ 18807 Stony Plain Road, Edmonton, AB. Previously Denied Application 7. On March 29", 2022, Judge Stevens denied this application for the following reason: a. | would grant both the Search Warrant and Production Order, however | am concemed about making an Assistance Order directed to Counsel, Please consider and provide further submissions if you wish, or remove the applications for the Assistance Orders and resubmit. 8. | have made the following amendments to this ITO and the corresponding authorizations: a, The addition of paragraph 51 which outlines this is the recommendation of and with the consent of the outside counsel for the Speaker of Legislative Assembly of Alberta (the Speaker), Kent Teskey (Teskey). Teskey has been involved in the creation of this process; Page 2 0f 24 assification Protected &