The Government Communications Security Bureau (GCSB) has issued a warning to all New Zealand businesses to be prepared for cyber attacks, following almost a week of daily attacks on the New Zealand stock exchange (NZX).
The attacks have caused outages, sometimes for hours, of NZX’s public-facing website since Tuesday last week. Today it continued trading under a new arrangement that allows it to post information to alternative platforms.
The attacks are part of worldwide malicious cyber activity and the government will likely share information via Interpol and government-to-government links, including the intelligence alliance know as Five Eyes.
Creating millions of bots
The type of attack is known as a Distributed Denial of Service (DDoS). The attacker infects large numbers, often thousands or even millions, of computers with a virus that allows the attacker to instruct the infected computer – known as a “bot” – to send thousands of requests for data to the target.
In effect, this means millions of attempts to access a website at the same time. The website being attacked can’t respond to each one quickly enough so either it simply stops responding or responds to some but not all data requests. Some people get the most up-to-date page and others don’t.
This is particularly damaging for financial information sites such as a stock market. They have a legal duty to give equal access to different users. They would normally shut down and stop trading for a while rather than allow some people to get information before others.
Blu-tack and cellotape: Sharesies is sharing NZX announcements with its members via a Google Drive https://t.co/VqIazgV62q
— Chris Keall (@ChrisKeall) August 31, 2020
These attacks are not designed to steal data or do insider trading. They are generally set up to demand ransom from the victims, usually asking for thousands of dollars paid in bitcoin or another cryptocurrency which is effectively untraceable. Governments, terrorist organisations, political groups and even pranksters have also been known to use these attacks.
DDoS software is available on the dark web but also not very difficult to write. In many cases the people owning the bots will not be aware anything strange is happening.
The current attacks
Multi-day attacks have been rare but are becoming more common. The size of these attacks, including how many bots are used and their capacity to send requests, has been increasing.
Such multi-day attacks are potentially risky for the attackers as the defence team will be analysing the attacks, often using artificial intelligence tools, and should be able to respond more quickly to block illegitimate requests.
The defence against such attacks is based on being able to cope with the large number of requests, either by moving the website to a cloud-based system that can increase capacity quickly, or identifying bot requests and filtering them out by setting up a “whitelist” of legitimate users and excluding others.
This is normally done by firewalls at the level of each attacked entity, the internet service provider or, as in the case of New Zealand, at a country’s electronic border (for example, the Southern Cross trans-Pacific network of communications cables).
If an attack is coming from inside New Zealand, security software on the bot computer can normally remove the infection with up-to-date anti-virus software. Internet service providers can also detect this activity and may warn users or disconnect the infected machine until it is cleaned. But in this case, the attacks are coming from outside New Zealand.
The COVID-19 pandemic means millions of people are working from home around the world, outside their normal corporate security, often using the family computer. Some people may be less careful about downloading software, particularly on illegal streaming sites, and may be using free or unsecured wifi networks. This makes infecting computers to turn them into bots much easier.
How to respond
Assuming this is a criminal gang, financial institutes are an attractive target. They rely on availability of service and potentially have money to pay ransoms.
In New Zealand, disaster management and recovery has tended to focus on responses to natural hazards rather than criminal activity. New Zealand does not have local cloud providers and expanding capacity is more difficult.
Even if NZX won’t pay a ransom, this attack is “advertising” for the criminal gangs that may act as “subcontactors” to larger criminal organisations.
The government’s aim will not be to catch the perpetrators in the short term but to share information on how to block the attacks. Normally the response is effective, but it can take some time to analyse details.
At the same time, other attacks (for example phishing to steal data) may use the confusion caused by the DDoS attacks to target potential victims. Organisations should encourage people to update their security software and remain vigilant.
In the future, as the internet of things (IoT) becomes more widespread, many billions of new devices will be connected to the internet. Security standards and forensic capability (storing data to analyse attacks) are not universal and there is a danger that these attacks will become more common and larger in scale.
But defence is possible and both technical and policy approaches are getting better. Artificial intelligence tools for rapidly analysing attacks are the focus of research.
Support for governments in vulnerable areas is also increasing to enforce international agreements, clarify local law and share information between network providers. For example, Macau recently introduced a much tougher cyber security law which seems to have been very effective.