NZ’s cyber security centre warns more attacks likely following stock market outages

By Dave Parry, Head of the Department of Computer Science, Auckland University of Technology

The Government Communications Security Bureau (GCSB) has issued a warning to all New Zealand businesses to be prepared for cyber attacks, following almost a week of daily attacks on the New Zealand stock exchange (NZX).

The attacks have caused outages, sometimes for hours, of NZX’s public-facing website since Tuesday last week. Today it continued trading under a new arrangement that allows it to post information to alternative platforms.

The attacks are part of worldwide malicious cyber activity and the government will likely share information via Interpol and government-to-government links, including the intelligence alliance know as Five Eyes.

Creating millions of bots

The type of attack is known as a Distributed Denial of Service (DDoS). The attacker infects large numbers, often thousands or even millions, of computers with a virus that allows the attacker to instruct the infected computer – known as a “bot” – to send thousands of requests for data to the target.

In effect, this means millions of attempts to access a website at the same time. The website being attacked can’t respond to each one quickly enough so either it simply stops responding or responds to some but not all data requests. Some people get the most up-to-date page and others don’t.

This is particularly damaging for financial information sites such as a stock market. They have a legal duty to give equal access to different users. They would normally shut down and stop trading for a while rather than allow some people to get information before others.

These attacks are not designed to steal data or do insider trading. They are generally set up to demand ransom from the victims, usually asking for thousands of dollars paid in bitcoin or another cryptocurrency which is effectively untraceable. Governments, terrorist organisations, political groups and even pranksters have also been known to use these attacks.

DDoS software is available on the dark web but also not very difficult to write. In many cases the people owning the bots will not be aware anything strange is happening.

The current attacks

Multi-day attacks have been rare but are becoming more common. The size of these attacks, including how many bots are used and their capacity to send requests, has been increasing.

Such multi-day attacks are potentially risky for the attackers as the defence team will be analysing the attacks, often using artificial intelligence tools, and should be able to respond more quickly to block illegitimate requests.

The defence against such attacks is based on being able to cope with the large number of requests, either by moving the website to a cloud-based system that can increase capacity quickly, or identifying bot requests and filtering them out by setting up a “whitelist” of legitimate users and excluding others.

This is normally done by firewalls at the level of each attacked entity, the internet service provider or, as in the case of New Zealand, at a country’s electronic border (for example, the Southern Cross trans-Pacific network of communications cables).

If an attack is coming from inside New Zealand, security software on the bot computer can normally remove the infection with up-to-date anti-virus software. Internet service providers can also detect this activity and may warn users or disconnect the infected machine until it is cleaned. But in this case, the attacks are coming from outside New Zealand.

The COVID-19 pandemic means millions of people are working from home around the world, outside their normal corporate security, often using the family computer. Some people may be less careful about downloading software, particularly on illegal streaming sites, and may be using free or unsecured wifi networks. This makes infecting computers to turn them into bots much easier.