A queue in the clouds at Turoa on September 13. Photo / Supplied
A queue in the clouds at Turoa on September 13. Photo / Supplied
It was a nuisance-value incident next to the rolling cyber-attacks on the NZX that occurred at the same time.
But the people who tried to disrupt Mt Ruapehu's online parking system earlier this month may find they've messed with the wrong man.
Police production orders are pending which, once servedon the alleged hackers' internet service providers, are expected to confirm the identity of three offenders - expected to be annoyed middle-class skiers rather than agents of the Chinese state or Ukrainian cyber crimelords.
The saga began in July, as the new ski season began.
Ruapehu Alpine Lifts, which operates the Whakapapa and Tūroa ski fields, introduced a new online carpark booking system.
You book via a website, then the system scans and recognises your license plate as your vehicle arrives.
Chief executive Jono Dean said the new parking system aimed to put an end to those frustrating queues and being turned around at the last minute.
But any change was always going to be contentious, given growing competition for spaces over recent years, but with Covid restrictions causing additional stress, there were always going to grumbles.
On Reddit, various punters thought either season-pass holders should be favoured, or the previous Darwinian system of first-in, first-served.
Then, on September 2, anger was turned on the Ruapehu parking system, with what RNZ described as "a deliberate attack" that took the system offline for several minutes.
The parking system was developed by Auckland company Theta - whose head of cyber security Jeremy Jones said there were a series of attempts to game or disable the parking system.
"There's a small cross-section of society who are avid skiers, and also work in IT, who were, shall we say, abusing their knowledge of technology to gain an unfair advantage," Jones told the Herald.
"In one case, they actually took the system down for a couple of minutes, because they were just hammering the website to try and block-book carparks. Whatever motivated them - whether they were trying to do it just to book a car park or whether they were trying to do it to discredit the application by taking it offline, because they object to restrictions, remains to be seen."
One person who was "abusing the application" was doing so from an IP address that indicated they worked for an IT company in Wellington; another was from an Auckland IT company; and another from a residential address in Auckland.
Theta head of cyber-security Jeremy Jones sees "Ukrainian or Eastern European kids" behind the recent attacks on the NZX. Photo / Supplied
Jones - a Canterbury University engineering grad who spent 16 years working for the UK Ministry of Defence, including being charged with the defence of a Nato data centre - says he knows the names of the companies concerned but does not want to name them at this point. He says that would spoil the police's party.
Asked about the production orders apparently soon to be served on the offenders' ISPs, a police spokeswoman declined comment, citing "operational reasons".
Postscript: Who was responsible for the NZX attacks
While the NZX attacks had no connection whatsoever to the Ruapehu incident. Jones' business also provides security for several companies listed on the local exchange - and as such he watched it with interest.
In his opinion it was very likely "just a bunch of kids in Ukraine or Eastern Europe" who were hiring a bot net by the hour.
Jones says a state actor, or organised crime cyber-gang, would have deployed a ransomware attack that could would have given the attackers control of the NZX's data until it paid up - or spent weeks rebuilding its systems.
Instead, they unleashed a DDoS (distributed denial of service) attack to send a flood of connection requests to the NZX's website, rendering it inaccessible to regular users.
The attack was never going to damage any NZX systems or seize any of its data, and it was only a matter of time before the exchange marshalled sufficient defences (in the final event, it brought in the multi-national Akamai, and created a second website for market announcements. The GCSB was also in the frame).
Jones says the attackers probably did make a financial demand realised early on that they had no chance of being paid. He thinks they carried on attacking the NZX for several days regardless purely in a fit of pique.
The pique extended to DDoS attacks on companies listed on the NZX, as Jones learned as several of Theta's clients were hit. "They were going through the list, one by one," he says. It was all for nought, however, with the attacks easily repelled.
