More New Zealand businesses likely to be targeted by new, complex 'strain' of cyber attack, expert predicts

A cybersecurity expert is warning more New Zealand businesses are likely to be the target of a new, complex "strain" of cyberattack over the coming weeks.

Day after day for the last week, the New Zealand Stock Exchange (NZX) website has been taken offline by repeated Distributed Denial of Service (DDoS) attacks, which is when a website is purposefully overloaded with significant amounts of traffic. 

Other businesses have also been targeted, including media outlets Stuff and RNZ, and on Tuesday, Metservice. However, their sites were unaffected.

Bruce Armstrong, director of cybersecurity company Darkscope International, told Newshub the attacks are something to be concerned about. 

"Yes, we should [be concerned]. This type of DDoS attack that we are seeing now is a new strain of the attack, a new version of the attack. It is more complex and it is more difficult to defend against," Armstrong said.

He said DDoS attacks fell in volume year-on-year between 2016 and 2018, before skyrocketing by 84% in the start of 2019. These attacks are more complex, so they last longer and have the ability to defeat existing defensive systems which try to reroute the traffic.

The attacks are often "geographically clustered", Armstrong said, meaning they focus on specific regions at a time. At the moment, it appears it's New Zealand's turn.

"I think we are going to see this in New Zealand for a little bit of time to come yet," he said.

"New Zealand is right in the target for these guys. There will be a lot more New Zealand companies that are going to have these kinds of frights over the few weeks. Hopefully, it only lasts that long."

He said businesses need to be more than just vigilant about these sorts of attacks but actively work with groups to ensure the denials of service can be deflected. Organisations are set up, Armstrong said, to "absorb these attacks" and "channel them" away from the business' website. 

"These organisations have the ability to take the brunt of the attack and basically deflect it away from you."

But Kiwis also need to start rethinking how we view cybercrime, he said. 

"I think we need to generally get better about the way we think about cyber attacks. The world has changed from what it was. These guys who are making these attacks aren't sitting in their mum's basements wearing a hoodie any longer. These guys are professionals. 

"They are sitting in office buildings in countries which don't have extradition treaties. They are driving flash cars. They have got retirement plans, they have health plans, and they have got education plans for their kids. They spend all their time working out to attack and make money out of cybercrime."

Reports have speculated an overseas crime syndicate is behind the attacks on the NZX, demanding a massive Bitcoin ransom in exchange for stopping.

Darkscope says a Russia cyber espionage group called Fancy Bear conducted such attacks in 2019, targeting financial service organisations and entertainment and retail sectors around the world, including in South America, Africa, northern Europe and parts of Asia.

"It is unclear whether the attacks on the NZX, Stuff and Radio NZ sites are from Fancy Bear. In fact, it is unlikely as these attacks do not match Fancy Bear's typical behaviour."

Last week, the Government Communications Security Bureau (GCSB) was brought in to to help the NZX, which had to halt trading on several days as a result of the attacks.

Finance Minister Grant Robertson said on Friday the Government is supporting NZX Ltd by getting the Government's spy agencies involved. He said at the time that he was not aware of any ransom demands and directed the question towards the GCSB. 

"We recognise that it is important that the Government works with private companies like them when they are faced with issues like the cyber-attack they are currently experiencing," Robertson said. 

"There are limits to what I can say today about the action the Government is taking behind the scenes due to significant security considerations."

He said the Government is aware of the impact it is having on the stock market and officials and ministers have been working with the NZX. 

"Ministers have asked the GCSB to assist and the National Cyber Security Centre within the GCSB are assisting NZX. The National Security System has been activated which ensures coordination between agencies in order to support the NZX," Robertson said. 

The minister in charge of the GCSB, Andrew Little, told media on Tuesday that the agency was getting on top of the attacks and that the NZX had received an email message before it was hit. That email is now being tracked back to where it came from.

Weather forecaster Metservice is the latest to be hit.

In a statement, it told Newshub that its security service provider had experienced a DDoS on Tuesday, and the "issue was dealt with in a timely manner".

"As of 5pm [on Tuesday], there has been no notable loss of performance to any MetService digital platforms. MetService also operate a back-up site, this site contains all safety critical information, and includes authorised MetService Severe Weather Watches and Warnings, MetService rain radar imagery and brief forecast information," a spokesperson said.

"The team at MetService remain on the highest alert of any threat, and our service provider has additional resource available to help effectively navigate and mitigate the situation should it escalate."