Hackers are so good at covering their traces it's hard to tell a criminal from a state actor. Image / NZ Herald graphic
Now that the dust has settled, are we any more clear who was behind the five-day series of cyberattacks on the NZX?
In short, no - though the expert consensus is firming around a profit-motivated criminal enterprise over a state actor, kids trying to prove their chops, or hackers driven by malice (one ex-Spark manager noted that the attacks on the NZX - a marquee Spark customer - coincided with Brenton Tarrant's sentencing. He floated the idea they could be a revenge attack for the telco, and its peers, blocking 4Chan and other fringe online sites in the wake of the Christchurch mosque shootings after they shared banned content).
"Given the actions of the actors to date, and what we have learned from our international partners, it is more likely that this is the work of sophisticated and well-resourced cyber-criminals," a GCSB spokesman told the Herald this afternoon.
"Work to identify the actors is ongoing," the spokesman said. He would not comment on any operational details.
The spy agency assisted the GCSB with its response.
AUT computer science professor Dave Parry takes a similar tack.
"I think it is most likely to be a criminal gang that would have preferred to get a ransom but, when they didn't, continued to show their abilities," he says.
Earlier, Communications Minister Kris Faafoi said the attacks on the NZX "did not bear the hallmarks of a state actor," going by briefings he had received from the GCSB
After a swathe of cyber-attacks on Australia during July, Australian PM Scott Morrison announced a $1.4 billion boost for cybersecurity spending - dwarfing Faafoi's single-digit millions here.
Faafoi did not immediately respond to a question about whether the GCSB's National Cyber Security Centre could get a further boost in light of the attack on the NZX and, more broadly, a 42 per cent increase in cyber incidents overall in the first half of this year, according to figures collated by Crown agency Cert NZ (the initials are for Computer Emergency Response Team).
Cert NZ warned in November that a group of cyber-criminals, aping a Russian gang that has variously gone under the names Cozy Bear, Fancy Bear and the Armada Collective, was trying to extort New Zealand financial institutions with distributed denial of service (DDoS) attacks.
A DDoS attack sees thousands of computers hijacked, then used as "zombies" to overwhelm a website with connection requests, rendering it inaccessible to its regular users.
It was a DDoS attack that was aimed at the NZX.
The bourse has so far declined to confirm or deny if its attackers demanded money to stop their assault (which appeared to reanimated late Wednesday as the NZX site was again offline, albeit briefly).
This afternoon, Cert NZ deputy director Declan Ingram offered fresh details on the shifting nature of threats.
"Over the last six months we have seen an increase in the volume and sophistication of financially motivated cyberattacks in both New Zealand and overseas," he said.
"For instance, every day New Zealanders have been targeted by extortion and blackmail scams. This type of scam increased considerably during April, with reports to Cert NZ rising from less than 10 to over 170 per week.
"An attacker claims to have access to a person's webcam and has recorded them viewing adult material. The attacker threatens to share the alleged footage with person's contact list unless they pay a ransom.
"At the other end of the scale, we have seen highly disruptive ransomware attacks making multi-million dollar demands against businesses. Beyond the standard data encryption, some attackers have been stealing sensitive data and threatening to release it unless a ransom is paid."
If you're affected by ransomware Cert NZ recommends you don't pay the ransom, as it doesn't guarantee you'll get your data back. It could also put you at risk of further attacks if an attacker sees that you're willing to pay them, so they could target you again, Ingram said. Paying ransoms supports this kind of criminal activity.
Auckland University senior computer science lecturer Dr Rizwan Asghar told the Herald it was difficult to tell if the NZX attacker was a cyber-criminal or a state actor.
Both were good at imitating the other, and hiding their traces.
But he says it's easy to identify the immediate source of the attack: hapless people's vulnerable devices - older computers with inherently poor security, or new ones whose software has not been kept up to date.
"If ISPs co-ordinate together, then it might be possible to discover those vulnerable devices and potentially identify who exploited those devices," he says.
"But the fundamental challenge in such cases would be to collect information from countries where cybersecurity policies and compliance are poorly regulated."
NortonLifeLock security expert Mark Gorrie saw the NZX attacks as a profit-driven.
Today, like others, he had no idea on the identity of the attackers, but he did offer:
"When discussing a persistent targeted attack, the question of 'who did it?' always arises.
"Unfortunately, the attribution of cyberattacks is not an exact science and the question has become increasingly difficult and complex to answer.
"At NortonLifeLock we typically cluster attack incidents together and try to attribute them to known attack groups based on similarity of digital fingerprints, such as code similarities, shared tools and shared infrastructure.
"However, cybercriminals are getting more savvy at obfuscating their origins.
"There's no doubt New Zealand's top cybersecurity professionals are trying to figure out who attacked the NZX, media organisations and other companies - but we may never know who did it."
Earlier Kordia chief information security officer Hilary Walton said contingency planning was also key. Think about how you will do business, and communicate with your customers, if you are hit by a DDoS attack or ransomware.
Metservice was a star performer in this regard when it was hit by a DDoS attack last week. The forecasting service redirected customers to a backup site, which lacked videos and other frills, but provided basic weather information. By contrast, the NZX - whose trading platform was not under attack, but taken down when it had no website to fulfill its continuous disclosure obligations - took days to organise alternative channels.
Organisations should focus on prevention instead, Gorrie said.
"Ensure you, your employees and your business are using strong passwords, services like VPNs [virtual private networks] to encrypt important traffic, and reputable security software and services from trusted vendors."
Read more about the cyber-security spending gap between Australia and New Zealand, an insider's description of issues inside the GCSB and more in "Year of the Hacker".
The New Zealand sharemarket reached its highest level in a month.