Published on the 03/09/2020 | Written by Jonathan Cotton
NZ follows Australia in facing onslaught of DDoS attacks…
The NZX’s public-facing website is back online again following a week of sustained repeated distributed denial of service (DDoS) attacks.
Though the NZX is a critical piece of New Zealand infrastructure, the website is used primarily for publishing market announcements. Nevertheless, in the face of repeated attacks, New Zealand’s NZ$204 billion exchange was forced to freeze trading last Friday until 1pm in order to maintain market integrity.
So just what is a DDoS attack?
“A distributed denial of service attack works by overloading traffic to internet sites,” says Dave Parry, professor at the Department of Computer Science, AUT.
“This means the web servers cannot service transactions normally and this is clearly a huge issue for a trading site where timing and assurance that transactions have completed are both critical.”
“We can confirm that we’re now seeing attacks peak at almost 200 Gb/sec.”
Parry says attackers infect large numbers of ‘innocent’ computers with malware, turning them into ‘bots’ that can be instructed to keep trying to access the affected site.
“It’s like large numbers of people all shouting at you at once – you can’t distinguish the real messages from the false ones.”
Where are the attacks coming from?
GCSB Minister Andrew Little says the attacks are likely financially motivated, as opposed to originating from state actors, but the exact origin of the offensive is still unclear.
New Zealand’s National Cyber Security Centre, an arm of the Government Communications Security Bureau, is saying only that it is aware of an ‘ongoing campaign of denial-of-service attacks affecting New Zealand entities…predominantly in the financial sector’.
And the offensive follows warnings received last year that DDoS attacks were imminent.
“We have received reports of extortion emails targeting companies within the financial sector in New Zealand,” said cybersecurity organisation Cert NZ in a blog post from November.
“The emails claim to be from a Russian group called ‘Fancy Bear / Cozy Bear’ and demand a ransom to avoid denial-of-service attacks,” says Cert.
“They carry out a short denial-of-service attack against a company’s IP address to demonstrate their intent.”
Akamai, a cybersecurity organisation specialising in content delivery networks has been brought in to help the NZX cope with the attacks, saying that such incidents have been occurring around the world, and across sectors.
“There are institutions that reside in the UK, US and APAC region who have received ransom letters,” says the firm.
“Akamai is aware of new threats being made by those claiming to be Fancy Bear and Armada Collective. They are currently targeting multiple sectors, including banking and finance, as well as retail.
“We can confirm that we’re now seeing attacks peak at almost 200 Gb/sec, utilising ARMS, DNS Flood, GRE Protocol Flood, SNMP Flood, SYN Flood, and WSDiscovery Flood attacks as their main vectors.”
In addition to the NZX, DDoS attacks possibly originating from the same source have also been launched against New Zealand media outlets, banks and the MetService.
In Australia, the Australian Signals Directorate this week announced it is working with private sector companies to bolster the nation’s resilience to cyberattacks, posting intelligence officers within some private companies.
The move follows 2019’s hack of Australia’s parliament and three largest political parties – and a spate of attacks on the private sector.
Rachel Noble, head of the Australian Signals Directorate, says “We already started to partner with a number of companies and actually agreeing to embed each other’s staff, so that we better understand what we have in terms of a threat picture,” says Noble.
Australia has pointed the finger at the Chinese government the attacks, although authorities in Beijing are denying it.
The recent spate of successful DDoS attacks – and the rise of cyber-extortion in general – should be a wake up call for the organisations across Australia and New Zealand.
“To protect against DDoS attacks, you may need to work with your ISP, and engage with a DDoS protection service, such as Cloudflare or Akamai, to prevent the DDoS traffic from reaching your systems,” says Cert.
“If you use such a service, ensure that your servers only accept traffic from your DDoS protection provider so that the protection cannot be bypassed.”
The NCSC has also published a guide to help organisations plan for, prepare for and respond to cybersecurity incidents.