The NZX was taken offline yesterday and today in response to cyber attacks – potentially from Russian gangs.
What’s all this then?
For the second time in two days, the New Zealand stock exchange NZX was taken offline late this morning in response to offshore cyber attacks. The exchange went down around 11.20am this morning and came back online an hour later 12.20pm only to go offline again around 1.20pm.
For much of the afternoon a message on the website said the exchange was experiencing network connectivity issues and some trading had been halted.
According to an NZX spokesperson, the exchange is working with its network service provider Spark to address the issue.
“It appears that this is similar to yesterday’s issue,” the spokesperson said. “Late Tuesday, the exchange was hit by a DDoS (distributed denial of service) attack that swamped its servers.”
What’s a DDoS?
After the first attack which forced trading to halt at 4pm on Tuesday, the NZX and Spark issued a joint statement explaining that it had been subject to a DDoS attack.
“A DDoS attack aims to disrupt service by saturating a network with significant volumes of internet traffic. The attack was able to be mitigated and connectivity has now been restored for NZX.”
According to Professor Dave Parry of AUT’s department of computer science, the fact that the attack happened over multiple days indicates a high level of sophistication and determination.
“This means the web servers cannot service transactions normally and this is clearly a huge issue for a trading site where timing and assurance that transactions have completed are both critical.
“Attackers normally infect large numbers of ‘innocent’ computers with malware, turning them into ‘bots’ that can be instructed to keep trying to access the affected site. It’s like large numbers of people all shouting at you at once – you can’t distinguish the real messages from the false ones.”
Parry said there are two options for NZX to deal with the DDoS: shutting down the “bots” by getting users to update security patches and delete the malware or by blocking the IP addresses of the bot machines with a firewall so that the NZX site doesn’t have to deal with them.
It’s unclear at this stage how the NZX has chosen to deal with today’s attack while it has shut down its operations.
What is the point of the attack?
While it’s uncertain what the motives were behind the attacks, there are many reasons why cyber criminals would initiate them. NortonLifeLock senior director Mark Gorrie told the NZ Herald he suspects the attacks were likely financial motivated.
“A distributed denial-of-service attack is one of the most powerful weapons on the internet, it overwhelms a site or service with more traffic than the server or network can accommodate. DDoS attacks are a weapon of choice by profit-motivated cybercriminals,” he said.
“In the case of the NZX, we would guess the motivation behind the attack is profit-driven.”
While the NZX has not confirmed whether it has received an extortion demand, the Herald also reports that “DDoS attacks are executed for kicks, to prove a hacker’s chops; some are politically motivated; others have criminal intent”.
Who’s behind it?
The identity of the cyber criminals has not yet been confirmed as they are often difficult to track down. Dr Rizwan Asghar at the school of computer science at Auckland University told Stuff the culprits tended to hide their IP addresses.
Both the GCSB’s National Cyber Security Centre and Crown cyber security agency Cert NZ said they don’t general comment on specific cases so couldn’t provide details of who the culprits may be.
However, late last year Cert NZ issued an alert warning about Russian cyber gangs targeting companies within the New Zealand financial sector with extortion emails.
“The emails claim to be from a Russian group called ‘Fancy Bear / Cozy Bear’ and demand a ransom to avoid denial-of-service attacks. They carry out a short denial-of-service attack against a company’s IP address to demonstrate their intent. So far, a larger denial-of-service hasn’t happened if the ransom is not paid.”
If targeted, Cert NZ advices companies not to pay the ransom as it could entice further attacks. It also instructs companies to work with their ISPs and use a denial-of-service protection service,to prevent the denial-of-service traffic from reaching their systems.
However, AUT’s Dave Parry said that because the software and skills to carry out a DDoS are relatively accessible, anyone could be behind it, including foreign governments.
“These sort of attacks can be mounted by governments or private criminal gangs. Recently, Australia has pointed the finger at the Chinese government for similar attacks; the Chinese government has strongly denied this.”
Is the government involved?
As this is an offshore attack impeding critical New Zealand infrastructure, Parry said the government is most likely helping the NZX rectify the issue.
“GCSB will be involved along with Cert NZ in trying to identify the source of the attack,” he said.
“Unfortunately, the skills and software to do this are widely available and the disruption of Covid-19 and people working from home all over the world potentially with lower security on their computers means that these attacks are easier than usual.”
He said it’s worth New Zealanders checking their anti-virus software and security patches are up to date, and notifying their ISP if there is unusual activity.