The web page of the New Zealand Stock Exchange slowed to a crawl on a Tuesday afternoon in August. It was so badly throttled that the exchange could not post market place announcements, as essential by economic regulators. So with an hour left for trading, management shut the whole operation down.
It did not take extended to figure out what occurred. The web page had been overwhelmed by a tsunami of offshore digital visitors. An e-mail from the perpetrators created clear that it was a malicious attack.
NZX Ltd, which operates the exchange, restored connectivity ahead of the next trading day. But the attacks resumed when the market place opened, forcing more trading suspensions more than the next couple of days.
When the exchange ultimately moved its servers out of the attain of the digital bombardment – to cloud-based servers – the attackers started targeting the exchange’s individually-listed organizations. In the finish, trading at NZX was stopped for 4 days, with “only intermittent periods of availability,” according to a government assessment.
“You wouldn’t wish this on your worst enemy,” NZX Chief Executive Officer Mark Peterson told a nearby newspaper.
NZX was hit with the cyber equivalent of a mugging, a crude and dated style of hack that John Graham-Cumming, the chief technologies officer at the cybersecurity firm Cloudflare, described as “the simplest, dumbest attack you can do.” Known as a distributed denial of service, or DDoS for quick, such attacks inundate a personal computer network or server with so significantly visitors that it can turn into overwhelmed and cease functioning.
DDoS attacks have been about for decades even although the cybersecurity sector has largely figured out how to withstand them. Nevertheless, they have endured and grown since they are comparatively uncomplicated to pull off compared to actual hacks of personal computer networks and the explosive development of online-connected devices has offered hackers an edge in launching attacks.
Also, quite a few organizations and organizations, such as NZX, never bother taking the essential precautions.
“The reason they persist is people think they will never be a victim,” Graham-Cumming mentioned.
This account is based on interviews with more than a dozen cybersecurity authorities in New Zealand and elsewhere and delivers new particulars about an attack, which includes boastful notes from the attackers and glaring cybersecurity deficiencies at NZX. A report released on Jan. 28 by New Zealand’s economic markets regulator reinforced these findings, blasting NZX’s failure to avoid the DDoS incident and accusing officials of a “lack of willingness to accept fault.”
NZX was targeted as part of a DDoS campaign that began last year and was striking in its global ambition. More than 100 companies and organizations around the world have so far felt its force, including Travelex in the UK, YesBank in India and New Zealand’s meteorological service, according to cybersecurity researchers and the companies themselves. None suffered the impact of NZX.
Travelex didn’t respond to messages seeking comment, nor did the meteorological service. YesBank said the attack “wasn’t material” but provided no further details.
The attacks have followed a familiar pattern, according to cybersecurity experts. Potential victims receive an email often personally addressed to the chief IT officer. It lists a Bitcoin address and a demand for what has typically been about $200,000. The attackers promise discretion for those who pay to “respect your privacy and reputation, so no one will come across out that you have complied,” according to copies of the emails reviewed by Bloomberg. Cybersecurity firms report that companies targeted months ago are being sent new extortion emails, reminding them to pay the ransom or risk an attack.
The attackers, believed to be based in eastern Europe, have variously identified themselves in the emails as Lazarus, FancyBear and the Armada Collective – all names of infamous hacking groups, according to the emails and cybersecurity experts.
“We definitely assume it is one entity. Every aspect of the campaign is definitely equivalent,” Hardik Modi, the Washington-based senior director of threat intelligence at cybersecurity firm NetScout Systems Inc., which is based in Massachusetts. “I run a analysis group and I really feel like we’re up against a analysis group exactly where the level of devotion is uncommon. That’s why it really is caught our focus.”
Since NZX was temporarily shut down, the attackers have used it to establish credibility with new targets. Emails delivered in the weeks and months afterward contained some variation of this warning: “Perform a search for NZX or New Zealand Stock Exchange in the news, you never want to be like them, do you?”
Financial exchanges have halted trading for a variety of reasons over the years, from squirrels chewing through power lines to wars. In October, for instance, exchanges on three continents cited technical issues for shut downs, with the all-day halt at the Tokyo Stock Exchange being the worst in its history. Similarly, the 10-hour outage at the Bolsa Mexicana de Valores was the longest blackout in its recent history; Euronext NV shuttered trading for three hours.
Officials at NZX declined to comment for this story but have told financial regulators that the magnitude of the attack was unprecedented and couldn’t have been foreseen. The Financial Markets Authority, in its report, wasn’t buying it: “Many other exchanges worldwide have skilled considerable volume increases and DDoS attacks but we have not observed any that have been disrupted as generally or for such a extended period.”
NZX, and much of New Zealand suffers from a general lack of awareness about cyber risks and doesn’t spend enough on security, said Jeremy Jones, head of cybersecurity at IT consultancy Theta in Auckland.
“There’s a cause why New Zealand is a pretty juicy target for this,” he said. “The nation is extremely digitized and so dependent on the online and cloud services. But historically, we’re at least 10 years behind the U.K. and Europe on basic cybersecurity measures in the industrial space.”
Unlike a traditional hack, in which an attacker finds a way into a computer network to steal information or lock up files and demand payment, a DDoS attack is simply a blunt-force assault – directing more useless data at a company or organization than it can handle.
A common type of DDoS attack involves summoning a network of internet-connected devices – from laptops and servers to IoT devices such as DVRs and baby monitors – that have been infected with malware. The group of devices is known as a botnet, effectively a robot army, which the attacker can commandeer to do their bidding by sending directions to each device, or bot, according to Cloudflare. More often than not, the devices’ owners have no idea their machines have been hijacked.
When hundreds of thousands of devices are focused on a single target, like a server or a network, they can overwhelm the systems’ capabilities. It’s one reason, for example, why streaming services for popular television shows crash when millions of viewers are trying to download an episode at the same time. This is the ‘denial of service’ element of the attack.
In the decades since the first widely acknowledged DDoS attack in 1999 – on a single computer at the University of Minnesota — DDoS attacks have grown in size, sophistication and regularity, due in part to the growth of the internet and devices connected to it. In the first half of 2020, there were 4.83 million DDoS attacks, up 15% from the year before, according to NetScout. In the month of May alone, the firm recorded 929,000 DDoS attacks.
In 2017, in what is believed to be the largest DDoS attack yet, Google said nation-state hackers launched a six-month assault on its servers, reaching a size of 2.54 terabits per second. A terabit is a thousand times faster than a gigabit, which transmits data at a billion bits per second. In a blog post, Google said the attack didn’t cause a disruption.
There are various ways companies can beef up their cyber defenses against DDoS, including having enough bandwidth to absorb any deluge of junk traffic. They can also deploy layers of defenses, where each one protects the layer behind it, as Google said it did to block the attack on its network.
A few months after NZX was temporarily shut down, the attackers turned their attention to Telenor Norway, a telecommunications company whose security operations center is nestled in the seaside town of Arendal, the inspiration for the magical village of Arendelle in the Disney film “Frozen”.
About 80% of internet usage in Norway comes through Telenor Norway’s infrastructure, and the operations center normally bats away anywhere from five to 30 DDoS attacks a day. The October attack unloaded as much as 400 gigabits of data per second at the network – a fraction of what was thrown at Google but still enough to garner the full attention of a company Telenor Norway’s size.
In the end, service was disrupted for about an hour, though the attack lasted for three, said Andre Arnas, the chief security officer for Telenor Group.
Gunnar Ugland, the head of the security operations center in Norway, quickly recognized the parameters of the October attack as it was happening – only a few weeks earlier his tech team had written about the NZX attack in the company newsletter. The company had also had previous experience with major DDoS attacks and had built “really a huge infrastructure” to deal with the digital disruptions, he said.
“It’s not generally uncomplicated to speak openly about these concerns since it shows when you have to be capable to be open to talk about the threats and the dangers,” Ugland said. “There’s a lot of organizations that do not have DDoS precise defenses and will most likely have a larger difficulty for a significantly longer time.”
In New Zealand, the DDoS attack has prompted a fair bit of finger pointing, as well as frustration that NZX wasn’t better prepared.
Jeremy Sullivan, an investment adviser based in Christchurch, said he could forgive a temporary glitch but not a dayslong outage, which delayed the processing of orders. “A DDoS attack is the equivalent of walking into a bank with a hammer and demanding revenue, it really is quite crude. The truth that they did not have defenses against that was definitely disappointing,” he said.
Some cybersecurity researchers, meanwhile, say they believe they know what caused the initial spate of attacks – NZX’s reliance on two local servers with not nearly the bandwidth to handle a major DDoS attack. The exchange was in the process of moving to cloud-based servers as part of a long-planned update when the attack hit.
Losing access to those servers “implies that sooner or later the organization ceases to exist on the online,” said Daniel Ayers, a New Zealand-based IT security and cloud consultant, who communicated with NZX staff during the outage. “Email cannot be delivered, net addresses cannot be resolved.”
Worse yet, Ayers said, those servers didn’t have nearly enough DDoS protection once the attack got underway.
The Financial Markets Authority described NZX’s technology, staffing and preparations for a crisis as insufficient. It said a DDoS attack was “foreseeable,” and “need to have been planned for.” Indeed, similar extortion emails had been sent to New Zealand firms during 2019 carrying threats of action similar to what NZX sustained in August 2020, according to the regulator.
Regardless, the DDoS attack on NZX has made one thing clear: New Zealand’s days of acting as if it is a “secure haven like Hobbiton” are over, said Andy Prow, the chief executive officer of the Wellington-based cybersecurity firm RedShield Security Ltd, referring to the idyllic home for Hobbits in the “Lord of the Rings.”
“We’ve actually joined the rest of the planet,” he said. “New Zealand is becoming hammered as badly as every person else.”
()