NZX back online as Government assists in helping it address cyberattacks
The Government and its cybercrime fighting unit is assisting the NZX respond to repeated cyberattacks which have disrupted trading on the New Zealand stock exchange for four consecutive days.
The NZX, a listed company, was knocked offline around 9.45am on Friday due to connectivity issues which the NZX said resembled cyberattacks it suffered earlier in the week.
It was back online by 1pm and its main board opened for trading a short time later.
Finance Minister Grant Robertson said the Government Communications Security Bureau (GCSB) had been called in to help and its national cybersecurity centre was now assisting the NZX.
READ MORE:
* NZX 50 gains 22 points despite third trading halt in three days
* NZX closes early after website goes down for the third day in a row
* Trading halt didn’t stop NZX creeping closer to all-time high
The GCSB is a government agency who duties include protecting New Zealand’s national security from cyber-borne threats.
A statement from the NZX released on Friday evening said the equity cash markets closed with a value of $278 million.
NZX chief executive Mark Peterson said it was systems connectivity issue, not a data or communication integrity issue.
The NZX was working with Spark, the GCSB and national and international cyber-security experts, he said.
“Given that this is an ongoing response, NZX will not be providing detail on the nature of the attacks or counter-measures. We are directly communicating with our stakeholders and market participants and will continue to update them as necessary.”
The country’s national security system directorate, which coordinates and supports national security system activities, had been activated to ensure coordination between agencies to support the NZX, Robertson said.
“We are aware of the impact this is having on the stock market and officials and ministers have been working with the NZX.”
He would not provide further details but said the Government was treating it “very seriously”.
“We are aware of the impact it is having.”
RNZ
The government has pulled in the heavyweights to investigate attacks on the NZX. The stock exchange has been the victim of attacks for four days in a row.
The GCSB would not comment.
US-owned technology news site ZDnet has reported that the cybercrime group targeting the NZX offline has been attacking several financial providers around the world, demanding payment in Bitcoin to call off its attacks.
ZDnet said the attackers had gone by names including “Armada Collective” and “Fancy Bear” and usually emailed “huge ransom demands” to victims.
NZX spokesman David Glendining would not comment on whether it had received a blackmail demand for a ransom, or whether the company had a policy with regard to paying them.
Other targets of the criminals had included money transfer services PayPal and Worldpay and YesBank India, ZDnet said, citing a source.
Nasdaq-listed online content delivery giant Akamai Technologies said the group posing as Armada Collective/Fancy Bear had been capable of deluging victims with spurious web requests at the rate of 200 gigabits a second (Gbps) to swamp their online services.
“The initial contact starts with a threatening email, warning of an impending distributed denial-of-service attack against their company unless a ransom is paid in Bitcoin,” Akamai said.
In some cases, those letters warned that if the existence of the extortion demand was disclosed publicly, for example by being released to the media, then the threatened attack would begin immediately, it said.
Akamai said past ransom demands had started at up to 20 Bitcoin (NZ$341,140) rising by up to 30 Bitcoin a day if the payment deadline was missed.
Akamai, whose own customers had been targeted by the group, advised victims not to pay up, saying there was no guarantee the attacks would end and “paying ransom demands will only further finance the group perpetrating them”.
Some IT security experts have called for governments to try to stem the tide of ransomware in particular by making it illegal for victims to pay ransomware demands.
A poll in January indicated majority support for that concept among Stuff readers.
But a spokeswoman for Communications Minister Kris Faafoi responded in March that the “short answer” was that the Government was not looking into reforms.
Sean Duca, the Sydney-based regional chief security officer of US cyber security firm Palo Alto Networks, said it was typical for attack victims not to share much information in the early days of an attack.
The attackers might not be a notorious group such Fancy Bear whose past focus had more been on cyber espionage and warfare, but another group that had decided to leverage their name, he said.
Cyber security agency Cert NZ warned Kiwi businesses of possible impending DDOS attacks in November and suggested they considered engaging a DDOS protection service, such as one provided by Akamai or Cloudflare, to prevent DDOS traffic from reaching their systems.
But Duca said there was no “one stop shop” that could completely protect organisations from cyber attacks.
200Gbps of sustained traffic was probably enough to “rattle most people” and it was possible NZX had done everything it could have done to protect itself, he said.
”There is no silver bullet when it comes to security.
”That panacea is more delivered by a number of different solutions and services.”
The NZX could potentially hamper an attack by closing off its online services to all overseas web traffic “but it starts to become problematic when you think about the sort of organisation NZX is”, he said.
“Being an exchange, they probably rely on a lot of people connecting to their systems from outside the country.”
The attackers could also have access to compromised systems within the country from which to launch attacks, he said.
Paying ransoms “fed the beast” and banning that would good, but would not solve the problem, he said.
Most countries hadn’t devoted a lot of time to dealing with cyber crime as an area of focus, though the Australian government had done so this year in the wake of geopolitical tensions, Duca said.
“They have given some well-deserved and much-needed funding to the Australian federal police to bolster their enforcement capabilities.
“Gone are the days when we used to see 700 or 800 bank robberies a year in some countries – now it may be seven.”
That was partly because cyber crime was more lucrative and could be conducted across the globe “from the comfort of a lounge room”.
“It is incumbent on governments to start to say ‘how do we start to deal with this?’. Because this is not a problem that is disappearing.”
A DDOS attack involves harnessing a number of computers and directing them to bombard organisations, often with requests to connect, overloading their servers and crashing their websites.
The computers used to launch the attack can be owned by innocent members of the public or businesses that have previously been compromised by malware.
The NZX website was down for about 45 minutes on Friday morning before being restored briefly at about 10.30am. It then crashed again minutes later.
It is understood its services are hosted by Spark, which has been approached for comment.
An NZX memo to the market at 8.31am on Friday said it would open as normal and it was working to put in place additional measures to maintain system connectivity, and address the issue.
However, at around 9.45am the website was crashed, with a landing page saying “host error” and “no servers are available”. The market usually opens for trading at 10am.
An NZX spokesman told Stuff it was experiencing connectivity issues which appeared similar to those caused by the earlier DDOS attacks.
As a result it had extended the pre-open for the NZX main board and Fonterra shareholders market.
The NZX debt market was placed into a halt at 9.58am. The NZX Derivatives Market remained open.
Grant Williamson, director of brokerage firm Hamilton Hindin Greene, said it was very frustrating for everyone involved that the attacks had run to a fourth day.
“It’s not good for business obviously.”
Brokers would have to “play a bit of catch up” when the market reopened, he said during the attack.
The market coming to a halt was not good for investors, who wanted to know what price they would get when placing an order, he said.