The official word is now that the multi-day NZX outages were caused by distributed denial of service (DDoS) attacks on the stock exchange and other sites in New Zealand.
Not ransomware, nor a shady nation state Advanced Persistent Threat hacking group getting access via vulnerable devices on the network periphery that weren't patched, but an old fashioned DDoS attack to extort money from the NZX.
As the saying goes, anything old is new again, and here we are, extorting site owners with DDoS attacks like it's the early 2000s.
In those days defence measures weren't that effective and bandwidth was usually very expensive. Even if your site stayed up and could continue to do business, racking up traffic charges from DDoS floods would hurt. It was often cheaper to pay the criminals a few thousand and hope they'd stay away.
The criminals didn't however, and online casinos, in particular, were targeted by extortionists.
Interestingly enough, the extortion attacks on online casinos were partly the reason DDoS protection companies came into existence. This includes Prolexic, now owned by Akamai, the giant United States content delivery network that Spark partners with, and which NZX has shifted some of its internet presence to.
Infosec journalist Joseph Menn's 2010 book 'Fatal System Error' features Prolexic and its founder Barrett Lyon who fairly early on had moral qualms when he realised that the offshore gaming outfits his company protected were run by some pretty nasty US and Russian mobsters.
It's a great read, featuring digital recorders hidden in car key fobs, the Federal Bureau of Investigation and UK police going after organised cybercrime with connections to the Russian government, and techies fighting DDoS attacks.
That was well over a decade ago, and there's nothing to suggest of course that Prolexic under Akamai's wings has anything to do with cybercrime.
Nevertheless, despite effective protection technologies by Akamai and others, DDoSing remains a flourishing internet industry with "stresser" and "booter" sites openly advertising their ability to send hundreds of gigabits per second traffic floods at targets.
Internet games servers are often hit by DDoS attacks as hacked-off players (and competing site operators) pay a few bucks for booters to drown them out.
It's important to note that denial of service attacks can be self-inflicted too. As the Covid-19 pandemic started, Australians were told to access welfare services online.
And so they did, in such numbers that the myGov site couldn't handle all the visitors and went down.
Initially, the Australian government said the outage was caused by a DDoS, but eventually had to admit that myGov was simply overwhelmed. Likewise, configuration mistakes can cause traffic floods too, like at Telstra recently where an unspecified "messaging storm" was first said to be a DDoS.
Then there's the 2014 "internet meltdown" at Spark, which was apparently caused by people clicking on nude pics of celebrities that on top of titillation installed DDoS malware on their computers.
Such self-inflicted DoSes cause random mayhem in networks, but it is possible to flood specific targets as well.
In simple terms, someone on Network A can send requests to services on the internet, like asking a program for the time, or a listing of resources available, and make it appear as if they had come from an address on Network B.
Most New Zealand internet providers block this kind of spoofing, but overseas networks in many cases still happily pass it on to victims. If attackers pick vulnerable services that indiscriminately send out data, they can amplify the reflected traffic floods enormously.
In one case discovered two years ago, the amplification factor was as high as 51,200 times. It means attackers can send just byte-sized amounts of data packets to generate colossal DDoSes that arrive from many different networks.
That's nothing new though, and as the minister responsible for our GCSB cyber spies Andrew Little pointed out, many companies' IT infrastructure is set up so that it can withstand DDoS attacks.
Despite being critically important to the country, NZX's IT infrastructure was set up so that it became susceptible to attacks as Little said.
GCSB's crib sheet on how to cope with DDoSes is good, but getting the full technical details on where NZX went wrong is better.
It's a safe bet that attackers are scanning for other organisations with similar vulnerabilities to those NZX had, and identifying the weak points would be extremely helpful.