NZX attackers have eluded authorities for 2 years, GCSB director believes

Tuesday, 6 October 2020

Government Communications Security Bureau (GCSB) director Andrew Hampton says the gang that targeted the NZX had evaded identification during a two-year international crime spree.

The crime gang that has periodically crippled the NZX’s website appears to have conducted similar attacks overseas for two years while eluding authorities, GCSB director-general Andrew Hampton says.

The distributed denial-of-service (DDoS) attacks interrupted trading on the exchange in August before a decision was made to allow trading to continue even while the NZX’s website was unavailable.

NZX spokesman David Glendining wouldn’t comment on Tuesday on whether the attacks were continuing, saying it was following expert advice not to reveal that, but indicated the threat remained.

Speaking at an online event hosted by the Trans Tasman Business Circle, Hampton said other New Zealand organisations had been targeted by the group but had stayed out of “the headlines”.

But hundreds of DDoS attacks were typically attempted every month and some attacks that coincided with the peak of the NZX’s woes in August and September were probably not related, he also indicated.

* Experts confident DDoS attacks will 'fizzle out' and attackers will be left out-of-pocket

RNZ, Stuff and the operator of the Mount Ruapehu ski field all reported DDoS attacks around that time.

The NZX was understood to have received a ransom demand in the tens or hundreds of thousands of dollars from the attackers, payable in crypto-currency, which it had ignored.

Hampton said the group that targeted the NZX showed the ability to bring to bear “quite significant volumes of internet traffic” that distinguished its attacks from others the spy agency had seen.

The NZX website was frequently offline at the peak of the DDoS attacks in late August.

The GCSB was highly confident that the group was one that had been active internationally for a couple of years, he said.

“Neither our agency nor any of our intelligence partners know who the group is, and that is not through a lack of effort to try and track it down,” he said.

“The nature of DDoS attacks is that those computers that attack you are spread all around the world – a whole network of compromised computers – and it is very hard to go upstream to find out who is behind it.

“That said, we have seen some common tactics and techniques and procedures used that is providing some clues and obviously we are working with partners around that,” he said.

Hampton said the criminals appeared pretty sophisticated in terms of their technical abilities “and in terms of their own operational security as well”.

“In terms of motivation, it is all about money. We don’t think it is a state-sponsored group; we don’t think it is a group seeking to cause disruption for disruption’s sake, that is why they are targeting the financial sector.”

The United States government has stepped up pressure on organisations including cyber insurers to stop paying or facilitating the payment of ransomware blackmail demands.

But Hampton stuck to a line that paying off cyber crime gangs was not a good idea mainly because it might not be effective – largely sidestepping questions on the ethics.

“I don’t think attacks are ever going to go away but attackers are likely to move on if they determine you are not going to pay up and the more organisations that [avoid] that, the more likely ‘actors’ are going to say ‘let’s not hit that sector,” he said.

Hampton said GCSB Minister Andrew Little had made “a pretty strong statement around how he considered it unethical to pay ransoms”, referring to a comment Little made to Stuff that doing so was never ethical.

“From an agency perspective we are pretty practical; paying up doesn’t mean this is going to go away and may make you more of a target,” he said.