Through numerous official information Act (OIA) requests, the Herald has discovered multiple instances where Government departments have been hacked. Photo / 123RF
Through numerous official information Act (OIA) requests, the Herald has discovered multiple instances where Government departments have been hacked. Photo / 123RF
A government ministry was the victim of more than 180 million hacking attempts in less than 18 months.
Three government departments confirmed they have been targeted by hackers and many more have revealed they are under "constant" cyber-attacks.
Foreign hackers are responsible for many of the incursions and government departmentsare investing in complex IT defence systems to fight a bombardment of digital threats and malicious malware.
Treasury Secretary Gabriel Makhlouf making his presence known to journalists during the Wellbeing Budget 2019 lock-up at Parliament. Photo / Mark Mitchell
In the wake of last month's Budget "hacking" scandal, the Weekend Herald lodged numerous Official Information Act requests to government departments.
The responses reveal a disturbing pattern of repeat attacks and multiple instances where hackers have targeted top ministries and state sector agencies.
The Government Communications Security Bureau (GCSB) describes a hack as "unauthorised access to your network or systems that would constitute a cyber-security incident".
Many of the incidents reported by our government departments meet that definition.
Statistics New Zealand said that between early 2017 and May last year, it was hacked three times.
In these instances, malware – software designed to damage or gain unauthorised access to a computer system – was introduced to the department's systems.
"These have occurred when staff have inadvertently downloaded the malicious software," the OIA said.
However, it stressed that no data was compromised during the attacks.
The Ministry of Transport said that one of its "smaller websites" was hacked in April this year, but it did not confirm which one.
An investigation revealed no loss or corruption of the ministry's data and there was "no further security risk".
Land information New Zealand said it has had one instance of hacking in recent years, where unauthorised access to its network or systems was detected.
LINZ said, like all organisations that had a presence on the internet, it was "constantly under attack".
"This is why we have a multi-layered defence for our IT systems, whereby attacks are detected and blocked by our internet and email protection services."
The Ministry for Primary Industries said although it has had no "cybersecurity incidents" between January 2018 and May this year, it had detected and blocked more than 180 million attempted cyber intrusions over that period.
Victoria University's Cybersecurity Programme director Ian Welch said although the number sounded big, its scale made sense.
"Cybersecurity incidents" could be interpreted in many ways, Welch said. The attacks could range from small denial of service attacks to bigger hacking attempts.
Welch said the attacks were likely to come from a variety of countries, such as Ireland, the US and China.
Cyber safety has shifted further into focus after former Treasury Secretary Gabriel Makhlouf said sensitive Budget information had been acquired by a "hack" last month.
Treasury had not, in fact, been hacked and Makhlouf later admitted an "unknown person or persons appeared to have exploited a feature in the website search tool".
As it turned out, that "person or persons" was the National Party, which used the website's search bar to gather information.
In its report into Makhlouf's response, the State Services Commission said his likening the incident to a persistent attack on a bolted door fell short of the standards of a public service chief executive.
But the saga also put the spotlight on what actually defines a "hack". The SSC said there many interpretations of the word, citing various dictionary definitions.
The Ministry of Foreign Affairs and Trade confirmed it was subject to a "substantial number of attempted hacks each day".
It had "significant technology security controls" to defend its systems including firewalls, intrusion detection systems and technical policy settings which could "detect, capture and neutralise malware activities of concern".
The Department of the Prime Minister and Cabinet had not been hacked within the last year but it too said it was under "continuous attack from cyber intrusions".
Many of these attacks were blocked by the DPMC's defensive mechanisms.
The Ministry of Health would not say how many times it had been hacked, saying "it would be inappropriate to publicly disclose operational or technical details of this nature".
However, the ministry did cite "a variety of controls and protective measures" it had in place to fight hacking.
GCSB Minister Andrew Little said the GCSB provides a range of cybersecurity defence services to help protect government agencies. Photo / Michael Cunningham
Minister in charge of GCSB Andrew Little said although it was the lead agency for information security across the public sector, each department was ultimately responsible for ensuring its own cybersecurity resilience.
Little said the GCSB provided a range of cybersecurity defence services to help protect government agencies and other organisations of national significance from malicious cyber activity.
He added that the National Cyber Security Centre was developing and offering its new Malware Free Networks service to a broader range of government and private sector organisations.
