Cyber experts not convinced Treasury was hacked

Claims that the National Party released hacked Budget information on Tuesday are likely to be incorrect, according to cybersecurity experts.

On Tuesday, National leader Simon Bridges revealed details of the Wellbeing Budget - two days before the official announcement. Finance Minister Grant Robertson admitted some of the information was correct.

Later that evening, Treasury, which has access to Budget information, released a statement saying there was sufficient evidence to show its systems had been deliberately and systematically hacked.

On Wednesday, Treasury head Gabriel Makhlouf said there had been 2000 attempts at attacking the Treasury's system in 48 hours.

Treasury wouldn't draw a direct link between the hack attempts and the information released by National, but Bridges says Robertson implied a connection with a statement the Finance Minister released on Tuesday.

"We have contacted the National Party tonight to request that they do not release any further material, given that the Treasury said they have sufficient evidence that indicates the material is a result of a systematic hack and is now subject to a police investigation," Robertson said.

But cyber-security experts from Darkscope, a Kiwi organisation with expertise in artificial intelligence, suggest any claim that National received information as the result of the Treasury being hacked was likely incorrect.

"Claims from the head of Treasury, Gabriel Makhlouf, that 2000 attempts in 48 hours as proof that their systems were hacked clearly shows their lack of cyber security awareness," a statement from Darkscope said.

"There are nearly one billion website breach attempts blocked every day across the world – it is far more common than most people expect. The 1000 attempts per day is simply 'white noise' on the Treasury site."

Cyber experts not convinced Treasury was hacked
Photo credit: Newshub / Getty

Darkscope conducted a scan of cyber-attack activity in the New Zealand Government sector and found that agencies were "always under attack, by mainly foreign attackers".

"An attack rate of 1000 attempts in a day is at the very light end of the spectrum."

While there are different types of attacks, of varying complexity, Newshub found last year that the Bay of Plenty District Health Board fielded up to 864,000 potential cyber attacks every day.

On Wednesday, Bridges said as a former Minister in charge of cyber security issues, "there are things going on every day".

"Frankly if you went six months ago and you had a look around Treasury, there would be actors from all over the place trying to hack the Treasury."

Joerg Buss, Darkscope's technical director, told Newshub that it would normally take hundreds of thousands of attempts to get through a website's layers of protections.

Buss said there were two likely scenarios of how the hacker got the information.

It could have been that the hacker quickly got through weak protection fields - which was unlikely for the Treasury - or a case of human error.

"A more likely scenario is that someone used a spider or crawler program to find 'hidden' content in the Treasury website (which is not considered a cyber-attack) and may have found the Budget 2019 files which were not protected properly at that stage."

Some online have posted images of Treasury webpages providing links to 2019 Budget information which led to a "403 error". That can suggest that information is present, but it is not public - at least anymore.

Gabriel Makhlouf.
Gabriel Makhlouf. Photo credit: The AM Show.

But Makhlouf told The AM Show on Wednesday that while information had been in the process of being uploaded, it wasn't publicly available.

"I have instigated a review to check exactly what has happened. But the information I had yesterday confirmed there was no accidental release of the information.

"There is a lot of information that is uploaded and it takes time to upload. So there was a process, but it wasn't open to the public."

Bridges denies the National Party was involved in any illegal activity and said the information they received had not come to them as the result of a hack.

Newshub has contacted Treasury for further comment.