A stock market crash - literally
On Tuesday afternoon, the electronic ticker scrolling around the NZX building in Wellington went haywire.
"Hey @NZXGroup your ugly Wellington ticker is borked," wrote Twitter user Oliver.
"My camera can't capture how rapidly and brightly it is strobing. Maybe time to retire it?"
But the NZX had bigger issues to deal with than a borked sign as the country's stock exchange was knocked offline thanks to a distributed denial-of-service attack. The stock exchange is considered critical infrastructure, the lifeblood of capitalism. That may explain the attack.
The DDOS method of taking down a website or online service is rather quaint in today's cyber-attack landscape where ransomware attacks are favoured as a method of extracting money from companies and individuals willing to pay to retrieve their data or get their services back online.
Denial of service is the hallmark of the shadowy hacker collective Anonymous, which in its manifesto declares that "greed and materialism is evil".
Harnessing the botnet
It has targeted financial institutions before, as well as government agencies, though has been less active in recent years. That's maybe down to the fact that cybercrime task forces are becoming more effective at tracking down hackers, who are facing serious jail time for their hacking. Last year a hacker was sentenced to ten years in prison in the US for running DDOS attacks against, of all things, a children's hospital, in 2014.
That attack, dubbed #OpJustina was apparently in protest at the hospital misdiagnosing a young girl's medical condition which had led to the girl being separated from her parents.
There's no suggestion Anonymous is behind the outages at the NZX, which were finally resolved yesterday. But the NZX and the government may never actually figure out where it came from.
"Attackers normally infect large numbers of 'innocent' computers with malware, turning them into 'bots' that can be instructed to keep trying to access the affected site," says AUT computer science expert, Professor Dave Parry, of the botnets that are usually harnassed to launch DDOS attacks.
"It's like large numbers of people all shouting at you at once - you can't distinguish the real messages from the false ones."
Yesterday, the NZX IT team was scrambling to shut down the botnet attack. Parry says there are two main ways to do that. If you know where the majority of the traffic is originating from, you can try and get the owners of those devices to update their security and patches and delete the malware.
But that takes time when dealing with offshore parties. More likely, the NZX would have focused on blocking IP addresses of the bot machines using a firewall.
"Spark will be looking at network traffic to identify sources and block them," says Parry.
"Sophisticated attackers will be changing the IP addresses of the attacking computers, potentially via Virtual Private Network software, turning them on and off and also adding new ones."
The NZX is considered critical infrastructure, so the GCSB and the Computer Emergency Taskforce (CERT) have taken an interest in the attack. The government has invested in the National Cyber Security Centre to "supply advanced cyber threat detection and disruption capabilities developed through the CORTEX initiative".
But ultimately, each private organisation is responsible for its own cybersecurity. The NZX has faced technical outages that have disrupted trading before. But the latest one has led many to raise questions about the exchange's ability to fend off attacks, given it is such a prime target.
Unfortunately, the pandemic has increased the likelihood of DDOS attacks, says Parry.
"The skills and software to do this are widely available and the disruption of Covid and people working from home all over the world potentially with lower security on their computers means that these attacks are easier than usual."
Communications and digital media and government digital services minister Kris Faafoi said last night that cyber experts had told him the attack was unlikely launched by a state actor. But the reality is that it is sometimes impossible to know.
"Recently, Australia has pointed the finger at the Chinese government for similar attacks; the Chinese government has strongly denied this," Parry points out.
"As yet, there is no evidence that this attack is by an overseas government. Criminal gangs, especially if they are based in poorly-regulated countries, can use these attacks to demand ransoms."
For now, he says, its a good reminded to stay vigilant on cybersecurity, particularly if you run a critical real-time service like a stock exchange.
"This is not an issue around New Zealand computers being vulnerable to security breaches, but it is worth checking that anti-virus and security patches are up to date, and that people running websites, etc. notify their ISP if there is unusual activity."
You must be logged in in order to post comments. Log In