NZX should reflect on whether its IT infrastructure is robust enough, the minister in charge of New Zealand's security services says, as many companies have been able to cope with the sort of attacks that have crippled trading for much of the week.
Friday marked the fourth day in a row where trading on the New Zealand Stock Exchange was disrupted by a distributed denial of service (DDoS) cyber attack, although most of the afternoon was unaffected.
In an interview with the Herald, Andrew Little, the Minister responsible for the Government Communications and Security Bureau (GCSB), said the types of attacks were not uncommon, but they did not always have this kind of impact.
"Many companies have IT infrastructure that means they can withstand" these types of attacks "and so they fizzle out very quickly," Little said.
"It's because of the way the NZX's IT is set up, they are obviously more vulnerable and they have had to sustain [the attacks] over a period of four days."
NZX "would appear to be" more susceptible to an attack than many other companies, Little said.
"NZX plays a vital role in our capital markets and it has taken everybody by surprise that they were able to be disrupted for four days in a row through something like a DDoS attack, where many other companies receive these attacks, withstand them, and have no disruption to their business," Little said.
"It's by being resilient enough to attacks like this that is what puts the actors [behind the attacks] off in the end, they just pack up and go away and try the next one, but in this case, NZX has shown a particular vulnerability."
"They have to reflect on their architecture, their IT architecture, to see whether it is robust in this day and age."
Remedial measures taken overnight Thursday appeared to be working.
"Remedial measures were put in place last night, through not only the work of GCSB, the ISP [Spark] and overseas service providers," Little said.
Work would continue over the weekend to try to ensure trading would be unaffected on Monday.
"The nature of these things is the actors can change their modus operandi and come at it from a different way, so everything that can be done to be ready for Monday will be done, but there is a level of unpredictability in all of this."
There have been reports that the attackers demanded Bitcoin to cease the attacks. Little said an investigation was ongoing but the source of the attack was unclear and might never be known.
"Because it was a DDoS attack, they are notoriously difficult to trace back and source, but that work is ongoing."
He would not confirm whether there had been a demand for money.
"I know there's been some speculation it might be state-sponsored. Generally state-sponsored attacks in this area don't use DDoS attacks, to achieve what they want. It's more likely a private actor, but nothing can be ruled out."
The significance of NZX was why the GCSB had become involved.
"We know that it has caused concern, and of course the longer it goes then the greater risk to public confidence in the NZX, and the role it plays in our capital markets."
NZX has not responded to a request to comment on Little's statements, but said in an update that when the equity markets closed on Friday, 71,000 trades had taken place with a value of about $278 million.
Trading began at 1pm, three hours later than usual.
NZX chief executive Mark Peterson said the NZX had been the target of ongoing "sophisticated and severe" volumetric DDoS attacks this week.
"This is a systems connectivity issue not a data or communication integrity issue," Peterson said.
"Given that this is an ongoing response, NZX will not be providing detail on the nature of the attacks or counter-measures. We are directly communicating with our stakeholders and market participants and will continue to update them as necessary."
One broker claimed the gossip in the financial community was that the attack was one of the largest of its type that Spark had seen.
Many companies believed they had top-quality infrastructure, but were ultimately in the hands of the companies which provided the services for advice.
"NZX has taken one for the team here. We're all going to be experts in cyber security after this."