NZX down again: Expert sees profit-driven extortion attempt

Image / 123RF

The NZX has been taken offline for around an hour for the second time in two days - amid a Crown security agency's warning that alleged Russian cybercriminals are targeting the NZ financial sector, and a private sector expert picking the exchange is the victim of a profit-driven extortion attempt.

The exchange went down at 11.24am and came back online around 12.20pm - only to go offline again around 1.20pm before full service was restored at 3pm.

"NZX confirms that it is working with its network service provider [Spark] to address a further issue today, impacting NZX system connectivity. It appears that this is similar to yesterday's issue," a spokesman said. Late Tuesday, the exchange was hit by a DDoS (distributed denial of service) attack that swamped its servers.

Security expert Daniel Ayers told the Herald as the second outage hit, "Given that a DDoS attack is an obvious threat I'm surprised NZX wasn't more resilient to that type of attack. DDoS attacks can be purchased on the Internet for just a few dollars and it is disturbing to think the NZ stock exchange could be taken down so easily."

Spark chief executive Jolie Hodson said she was aware of the outage. "We're working together but ultimately they're managing the matter and I can't speak on behalf of NZX."

Extortion warning

Declan Ingram, deputy director of Crown cybersecurity agency Cert NZ, said his organisation never commented on individual cases, because it did not want to inhibit organisations from reporting problems.

But late last year, Cert did issue an alert around DDoS extortion attempts by Russian gangs - or at least gangs claiming to be Russian - who were targeting the financial sector in New Zealand.

And he told the Herald this morning, "In 2019 we received 84 incident reports about DDoS attacks. In particular, cyber attackers emailed organisations alerting them that they would be subject to a DDoS attack unless they paid a ransom before a specified deadline. In some instances, the attackers initiated a warning or demonstrative attack against the organisation's IP network to prove their intent.

"Cert NZ does not recommend paying ransoms, as this could result in being targeted again," Ingram said.

That might be the official advice, but Wellington lawyer Michael Wigley has said there are some situations when paying up is the pragmatic choice - and Garmin reportedly paid a recent $14m ransom demand.

'Profit-driven' attacks

NortonLifeLock senior director Mark Gorrie told the Herald he saw financial motivation behind the twin attacks on the NZX.

"A distributed denial-of-service attack is one of the most powerful weapons on the internet, it overwhelms a site or service with more traffic than the server or network can accommodate. DDoS attacks are a weapon of choice by profit-motivated cybercriminals," Gorrie said.

"In the case of the NZX, we would guess the motivation behind the attack is profit-driven."

Cybercriminals traditionally send ransom demands before a DDoS attack, Gorrie said.

"It's financially driven in that regard, they also seek to breach systems and find high-value information, such as bank details or other personally identifiable information. This too can be ransomed, or sold on the dark web for financial gain. Don't underestimate cybercriminals. They're highly capable and well-resourced to sustain an attack such as the one happening to the NZX."

Gorrie added, "It's worth noting that in 2015 and 2016, a criminal group called the Armada Collective repeatedly extorted banks, web host providers, and others. We don't know why the attack happened, but cybercriminal motivation is more often than not about the same thing: Money."

NZX has so far refused to comment on Cert NZ's extortion alert or Gorrie's theory that the attacks are financially-motivated.

Serious questions

There were serious questions last night after the NZX lost its final hour of trading after being hit by a cyber attack.

At the time, the bourse was heading toward a record close.

Spark put out a statement at 6.49pm saying: "This afternoon a Spark customer, NZX Limited, experienced a volumetric DDoS (distributed denial of service) attack from offshore, which impacted NZX system connectivity. As such, NZX decided to halt trading in its cash markets at approximately 15.57.

"A DDoS attack aims to disrupt service by saturating a network with significant volumes of internet traffic. The attack was able to be mitigated and connectivity has now been restored for NZX."

Last night, security expert Ayers was surprised by the turn of events, tweeting: "Doesn't the NZX have DDoS protection?"

Spark had no further comment last night but is expected to give more information this morning.

Many motivations

Some DDoS attacks are executed for kicks, to prove a hacker's chops; some are politically motivated; others have criminal intent.

They have been out of the headlines for a couple of years, as hackers have turned more toward ransomware attacks that see data encrypted then a sum demanded for its release.

The Russian DDoS attack covered by the Cert NZ warning is variously known as "Fancy Bear" or "Cozy Bear".

The GCSB says it has prevented $100 million in harm from cyberattacks since 2016, and its cyberattack defences extend to un-named private sector players - but a spokesman said this morning it treats incidents as commercial in confidence to encourage organisations to disclose attacks.

NZX declined to make any immediate further comments, including on extortion or backup broadband connections, other than to say it expected the exchange to operate normally today.

'Serious attack on NZ infrastucture'

AUT computer science professor Dave Parry said, "This is a very serious attack on critical infrastructure in New Zealand. The fact that this has happened on a second day indicates a level of sophistication and determination which is relatively rare.

"DDoS attackers normally infect large numbers of 'innocent' computers with malware, turning them into 'bots' that can be instructed to keep trying to access the affected site. It's like large numbers of people all shouting at you at once – you can't distinguish the real messages from the false ones.

Normally there are two main ways to react, Parry said:

• Shut down the 'bots' – often by getting users to update security patches and delete the malware.

• Block the IP addresses of the 'bot' machines using a firewall - blacklisting - so that the NZX site doesn't have to deal with them.

"Because this is coming from overseas, the first option is difficult although there will be communication with legitimate ISPs and governments overseas. For the second option, Spark will be looking at network traffic to identify sources and block them. Sophisticated attackers will be changing the IP addresses of the attacking computers, potentially via Virtual Private Network (software, turning them on and off and also adding new ones).

"The GCSB will be involved along with Cert in trying to identify the source of the attack. Unfortunately, the skills and software to do this are widely available and the disruption of Covid and people working from home all over the world potentially with lower security on their computers means that these attacks are easier than usual."

"The kind of attacks that look to have occurred with the NZX aren't usually the work of a state actor," Communications Minister Kris Faafoi told the Herald. Photo / RNZ

Communications Minister Kris Faafoi said the NZX attack did not bear the hallmarks of a state actor, according to advice he had received today.

But Parry responded that state-backed hackers often mimicked the behaviour of private hackers.

Parry added, "These sort of attacks can be mounted by governments or private criminal gangs. Recently, Australia has pointed the finger at the Chinese government for similar attacks; the Chinese government has strongly denied this. As yet, there is no evidence that this attack is by an overseas government. Criminal gangs, especially if they are based in poorly-regulated countries, can use these attacks to demand ransoms.

"This is not an issue around New Zealand computers being vulnerable to security breaches, but it is worth checking that anti-virus and security patches are up to date, and that people running websites, etc. notify their ISP if there is unusual activity."

What is a DDoS attack?

Security company NortonLifeLocks says criminals prepare for a DDoS attack by taking over thousands of computers. These are often referred to as "zombie computers". They form what is known as a "botnet" or network of bots. These are used to flood targeted websites, servers and networks with more data than they can accommodate.

A volume-based or "volumetric" DDoS attack, which was apparently the variant that hit the NZX, sees massive amounts of traffic sent to overwhelm a network's bandwidth, NortonLifeLock says.

The company says a DDoS attack has to be repelled at the internet service provider level (often this involves temporarily blocking traffic from certain IP addresses).

But it is also a good idea to keep your security software up to date so your PC does not unwittingly become part of a botnet attack.

The NZX did not immediately respond to questions about whether it had received any extortion demand, whether its communications setup involved multiple providers for redundancy, and what steps were being taken to avoid another attack.