The New Zealand Stock Exchange website slowed to a crawl on a Tuesday afternoon in August. It was throttled so badly that the exchange was unable to post market announcements as required by financial regulators. So with an hour left to act, management shut down the entire operation.
It didn't take long to find out what had happened. The website was overwhelmed by a tsunami of digital offshore traffic. An e-mail of the perpetrators made it clear that it was a malicious attack.
NZX Ltd, which operates the exchange, restored connectivity before the following trading day. But the attacks resumed as soon as the market opened, suspending trading more for the next few days.
When the exchange finally moved its servers beyond the reach of the digital bombardment – to cloud-based servers – the attackers began targeting the exchange's individually listed companies. Trading on NZX was eventually suspended for four days, with "only intervals of availability," according to a government assessment.
"You wouldn't wish this on your worst enemy," Mark Peterson, NZX Chief Executive Officer, told a local newspaper.
NZX was hit by the cyber equivalent of a robbery, a crude and dated hacking style that John Graham-Cumming, chief technology officer at cybersecurity firm Cloudflare, described as "the simplest, dumbest attack you can do." Known as a distributed denial of service, or DDoS for short, such attacks flood a computer network or server with so much traffic that it can become overwhelmed and stop functioning.
DDoS attacks have been around for decades, although the cybersecurity industry has largely figured out how to resist them. Nonetheless, they have held up and grown as they are relatively easy to implement compared to actual computer network hackers and the explosive growth of internet-connected devices has given hackers an edge in launching attacks.
Also, many companies and organizations, such as NZX, don't bother to take the necessary precautions.
"The reason they persist is that people think they will never be a victim," said Graham-Cumming.
Based on interviews with more than a dozen cybersecurity experts in New Zealand and elsewhere, this account provides new details about an attack, including bragging notes from the attackers and blatant cybersecurity flaws at NZX. A report released Jan. 28 by New Zealand's financial markets regulator reinforced those findings, with NZX failing to prevent the DDoS incident and accusing officials of a "unwillingness to accept mistakes."
NZX was targeted as part of a DDoS campaign that started last year and stood out in its global ambition. According to cybersecurity researchers and the companies themselves, more than 100 companies and organizations around the world have felt their strength so far, including Travelex in the UK, YesBank in India and the New Zealand Meteorological Service. None had the impact of NZX.
Travelex did not respond to messages asking for comment, nor did the meteorological service. YesBank said the attack was "not material," but did not provide further details.
According to cybersecurity experts, the attacks have followed a familiar pattern. Potential victims receive an email often addressed personally to the chief IT officer. It includes a Bitcoin address and a query for what was typically around $ 200,000. The attackers promise discretion to those who pay to "respect your privacy and reputation so that no one finds out that you have complied," according to copies of the emails reviewed by Bloomberg. Cybersecurity firms report that companies targeted months ago are receiving new blackmail emails reminding them to pay the ransom or risk an attack.
The attackers, believed to be based in Eastern Europe, variously identified themselves in the emails as Lazarus, FancyBear and the Armada Collective – all names of notorious hacker groups, according to the emails and cybersecurity experts.
“We absolutely assume it is one entity. Every aspect of the campaign is absolutely comparable, ”Hardik Modi, Washington-based senior director of Threat Intelligence at cybersecurity company NetScout Systems Inc., based in Massachusetts. “I lead a research team and I feel like we are dealing with a research team where the level of dedication is unusual. That's why it has caught our attention.”
Since NZX was temporarily shut down, the attackers have used it to establish credibility with new targets. Emails delivered in the weeks and months after that contained a variation of this warning: "Search the news for NZX or New Zealand Stock Exchange, you don't want to be as they are, do you?"
Financial exchanges have halted trading over the years for a variety of reasons, from squirrels chewing through power lines to wars. For example, stock exchanges on three continents cited technical problems for shutdowns in October, with the all-day downtime on the Tokyo Stock Exchange being the worst in its history. Likewise, the 10-hour outage at the Bolsa Mexicana de Valores was the longest power outage in its recent history; Euronext NV has suspended trading for three hours.
Officials at NZX declined to comment on this story, but have told financial regulators that the scale of the attack was unprecedented and unforeseeable. The Netherlands Authority for the Financial Markets, in his report, did not buy it: "Many other exchanges around the world have experienced significant volume increases and DDoS attacks, but we have not seen any disrupted so often or for so long."
NZX, and much of New Zealand, suffers from a general lack of awareness about cyber risks and is not spending enough on security, said Jeremy Jones, chief cybersecurity at Auckland-based IT consulting firm Theta.
“There is a reason New Zealand is a very juicy target for this,” he said. “The country is highly digitized and therefore dependent on the internet and cloud services. But historically, we are at least 10 years behind the UK and Europe in overall cyber security measures in the commercial space. "
Unlike a traditional hack, where an attacker makes their way into a computer network to steal information or lock files and demand payment, a DDoS attack is simply a brute force attack – sending more useless data to a company or organization than is possible. handle.
A common type of DDoS attack is to call a network of internet-connected devices – from laptops and servers to IoT devices such as DVRs and baby monitors – that have been infected with malware. The group of devices is known as a botnet, basically a robot army, which can order the attacker to bid by sending directions to any device or bot. according to Cloudflare. More often than not, the owners of the devices have no idea that their machines have been hijacked.
When hundreds of thousands of devices are aimed at a single target, such as a server or a network, they can overwhelm the capabilities of the system. For example, it's one of the reasons streaming services for popular TV shows crash when millions of viewers try to download an episode at the same time. This is the "denial of service" element of the attack.
In the decades since the first widely recognized DDoS attack in 1999 – on a single computer at the University of Minnesota – DDoS attacks have grown in size, sophistication, and frequency, in part due to the growth of the Internet and its associated devices . In the first half of 2020, NetScout saw 4.83 million DDoS attacks, an increase of 15% from the previous year. In May alone, the company registered 929,000 DDoS attacks.
In 2017, in what is believed to be the largest DDoS attack to date, Google said nation-state hackers launched a six-month attack on their servers at a size of 2.54 terabits per second. A terabit is a thousand times faster than a gigabit, which transmits data at a billion bits per second. In a blog post, Google said the attack caused no interruption.
There are several ways businesses can strengthen their cyber defenses against DDoS, including enough bandwidth to handle a torrent of junk traffic. They can also deploy layers of defense, with each protecting the layer behind it, as Google said it did to block the attack on its network.
A few months after NZX was temporarily shut down, the attackers turned their attention to Telenor Norway, a telecommunications company whose security center is nestled in the seaside town of Arendal, the inspiration for the magical village of Arendelle in the Disney movie "Frozen". .
About 80% of Internet usage in Norway comes through Telenor Norway's infrastructure, and the operations center normally kills five to thirty DDoS attacks per day. The attack in October unloaded a whopping 400 gigabits of data per second onto the network – a fraction of what was thrown at Google, but still enough to capture the full attention of the size of a Telenor Norway company.
In the end, the service was interrupted for about an hour, although the attack lasted three, said Andre Arnas, Telenor Group's chief security officer.
Gunnar Ugland, the head of the security operations center in Norway, quickly recognized the parameters of the October attack as it was taking place – just a few weeks earlier, his tech team had written about the NZX attack in the company newsletter. The company also had previous experience with major DDoS attacks and had built "quite a huge infrastructure" to handle the digital disruptions, he said.
"It's not always easy to talk about these issues openly because it shows when you need to be open to discussing the threats and the risks," Ugland said. "There are many companies that don't have DDoS-specific defenses and are likely to have a bigger problem for a much longer time."
In New Zealand, the DDoS attack has caused quite a few finger changes, as well as frustration that NZX was not better prepared.
Jeremy Sullivan, an investment advisor based in Christchurch, said he could forgive a temporary outage, but not a day-long outage, which slowed down order processing. "A DDoS attack is the equivalent of walking into a bank with a hammer and demanding money, it's pretty rude. The fact that they had no defense against it was clearly disappointing," he said.
Some cyber security researchers, meanwhile, say they think they know what triggered the initial wave of attacks – NZX's reliance on two local servers with nowhere near the bandwidth to handle a major DDoS attack. The exchange was in the process of transitioning to cloud-based servers as part of a long-planned update when the attack hit.
The loss of access to those servers "means that the company will eventually cease to exist on the Internet," said Daniel Ayers, a New Zealand-based IT security and cloud consultant who communicated with NZX employees during the outage. Email cannot be delivered, web addresses cannot be resolved.
Worse, Ayers said, those servers didn't have nearly enough DDoS protection when the attack began.
The Netherlands Authority for the Financial Markets said the technology, the staffing and the preparation of NZX for a crisis were insufficient. It said a DDoS attack & # 39; to be expected & # 39; was and & # 39; should have been planned & # 39 ;. Similar extortion emails were sent to New Zealand companies in 2019 with threats of action, similar to what NZX had sustained in August 2020, according to the regulator.
Regardless, the DDoS attack on NZX made one thing clear: Gone are the days of New Zealand acting as if it were a “safe haven like Hobbiton,” said Andy Prow, CEO of the Wellington-based cybersecurity firm. RedShield. Security Ltd, referring to the idyllic home for Hobbits in the & # 39; Lord of the Rings & # 39 ;.
"We have literally joined the rest of the world," he said. "New Zealand is beaten just as hard as everyone else."
Photo credit: The New Zealand Stock Exchange building in Wellington. Photo credit: Birgit Krippner / Bloomberg.
Copyright 2021 Bloomberg.