New Zealand activates security services as DDoS outage enters fourth day

The New Zealand government has called in its national cyber security services to investigate as the New Zealand Stock Exchange (NZX) remains offline for a fourth day of trading following an unprecedented volumetric distributed denial of service (DDoS) attack that has targeted the organisation through its network service provider.

The Auckland-based exchange had briefly resumed trading on the morning of Friday 28 August, but was again forced to cease trading due to network connectivity issues, and – at the time of writing – the exchange’s website remained inaccessible from a UK IP address.

In reported remarks made at a press conference, New Zealand’s finance minister Grant Robertson confirmed that both the Government Communications Security Bureau (GCSB) and National Cyber Security Centre (NCSC) were actively investigating.

“I can’t go into much more in terms of specific details, other than to say that we as a government are treating this very seriously. We are aware of the impact that it is having and that is why we have directed the GCSB to help the NZX with this situation,” he said.

NZX CEO Mark Peterson said the attack was clearly a systems connectivity issue and not a data or communications integrity issue, but said that NZX would not be providing further detail on the precise nature of the attack or any counter-measures it is putting in place, given the situation is still developing.

Miles Tappin, Europe, Middle East and Africe (EMEA) vice-president at ThreatConnect, commented: “There are various motivations behind DDoS attacks, including political, ethical or extortion tactics and they have been commonly disregarded as a major cyber security issue within the industry.

“Due to the fact that DDoS attacks don’t steal anything, but rather slow down or stop businesses in their tracks – many organisations have turned a blind eye to mitigating them,” he said.

“While DDoS attacks typically last a couple of minutes to hours, we have started to see them stretching to days even weeks, which can have a significant and lasting impact on any business. New Zealand, and other states worldwide, need to use this attack as a stark reminder of the importance of protecting their national critical infrastructure,” added Tappin.

Immuniweb founder and CEO Ilia Kolochenko floated the idea that the attack on NZX may be something of a dress rehearsal for a larger attack against a more prominent target, such as the NASDAQ or London exchanges.

“I don’t think that major cyber gangs have their own interest in, or were hired by someone, to conduct a DDoS capable of repeatedly shutting down NZX [when] even a daily outage of NYSE can lead to multibillion losses around the globe,” he said.

“Unfortunately, not much can be done to prevent large-scale and well-prepared DDoS attacks today. During the pandemic, the average price of bots used for DDoS has fallen and will probably become even more affordable.

“When millions of devices suddenly start a massive attack, it’s a question of network capacity, not network security. We witnessed many examples in the past, when even the largest DDoS protection companies ceased protecting some of their clients under exceptionally large DDoS and gave up.

“Web applications and APIs [application programming interfaces] should, however, be regularly audited for business logic and architectural security flaws that may consume all CPU/RAM and greatly facilitate a DDoS attack.”

The attack on NZX is understood to have originated offshore, according to Spark, the exchange’s network service provider, but further details of its origin are thin on the ground.

However, it is possible that it is linked to a series of DDoS extortion threats made earlier in August against finance and retail targets by advanced persistent threat (APT) groups claiming, although unconfirmed, to be Armada Collective and Fancy Bear – which may suggest a link to Russian groups.

These threats, which have been tracked by Akamai, involve ransom demands sent to the target organisation, threatening a large-scale DDoS attack unless they are paid off in bitcoin. The Armada Collective demand starts at five bitcoin rising to 10 if the deadline is missed, and the Fancy Bear demand starts at 20 bitcoin and rises to 30 if the deadline is missed, with an additional 10 for each additional day.

Akamai suspects that the demands are coming from copycat groups using the reputation of known APT groups to intimidate their targets.

“Should your organisation receive an extortion letter, Akamai recommends that the ransom not be paid, as there is no guarantee the attacks will end. Moreover, paying ransom demands will only further finance the group perpetrating them,” Akamai said.