The New Zealand Stock Exchange website crashed for a third day in a row, just as the S&P NZX-50 was 8 points short of its all time high.
Experts say apparent cyber attacks causing the platform failure as a very serious attack on critical infrastructure in New Zealand. And the fact that it's happened on a third day indicates a high level of sophistication and determination.
In a statement this morning NZX said it had to halt trading at 11.10am on its cash markets, due to a systems connectivity issue.
"NZX is continuing to work with its network provider [Spark] to investigate the source of the issue, following volumetric DDoS (distributed denial of service) attacks from offshore on 25 and 26 August."
The Exchange was hit by a cyber attack on Tuesday afternoon, halting trading for an hour.
Hamilton Hindin Greene chief financial officer Grant Williamson said the NZX outages were very frustrating for all involved.
"It is really creating a build up in orders that can't be actioned until the market opens again."
Williamson said he hadn't seen anything like this in a long time and noted it was probably the 1990s when he last saw it.
"It is extremely frustrating." Williamson said in the majority of cases it hadn't affected its clients but it could cause problems if something happened offshore and share prices moved strongly upwards or downwards and left a big gap when the NZX started trading again. He said it was waiting to hear from the NZX on when the issue would be fixed.
"I'm sure they are working extremely hard. I just hope this will be the last one we see."
And the NZX went down again yesterday at 11.24am and came back online around 12.20pm - only to go offline again around 1.20pm before full service was restored at 3pm.
Shane Solly, senior portfolio manager at Harbour Asset Management, said he expected the exchange and the broking community will pick up the activity pretty quickly once service is resumed.
"Certainly disruptive... other than not helping with price setting on a busy day for company results its not causing liquidity problems for institutional investors at this stage."
Declan Ingram, deputy director of Crown cybersecurity agency Cert NZ, said his organisation never commented on individual cases, because it did not want to inhibit organisations from reporting problems.
But late last year, Cert did issue an alert around DDoS extortion attempts by Russian gangs - or at least gangs claiming to be Russian - who were targeting the financial sector in New Zealand.
"In 2019 we received 84 incident reports about DDoS attacks. In particular, cyber attackers emailed organisations alerting them that they would be subject to a DDoS attack unless they paid a ransom before a specified deadline. In some instances, the attackers initiated a warning or demonstrative attack against the organisation's IP network to prove their intent.
"Cert NZ does not recommend paying ransoms, as this could result in being targeted again," Ingram said.
That might be the official advice, but Wellington lawyer Michael Wigley has said there are some situations when paying up is the pragmatic choice - and Garmin reportedly paid a recent $14m ransom demand.
NortonLifeLock senior director Mark Gorrie told the Herald he saw financial motivation behind the twin attacks on the NZX.
"A distributed denial-of-service attack is one of the most powerful weapons on the internet, it overwhelms a site or service with more traffic than the server or network can accommodate. DDoS attacks are a weapon of choice by profit-motivated cybercriminals," Gorrie said.
"In the case of the NZX, we would guess the motivation behind the attack is profit-driven."
Cybercriminals traditionally send ransom demands before a DDoS attack, Gorrie said.
"It's financially driven in that regard, they also seek to breach systems and find high-value information, such as bank details or other personally identifiable information. This too can be ransomed, or sold on the dark web for financial gain. Don't underestimate cybercriminals. They're highly capable and well-resourced to sustain an attack such as the one happening to the NZX."
Gorrie added, "It's worth noting that in 2015 and 2016, a criminal group called the Armada Collective repeatedly extorted banks, web host providers, and others. We don't know why the attack happened, but cybercriminal motivation is more often than not about the same thing: Money."
NZX has so far refused to comment on Cert NZ's extortion alert or Gorrie's theory that the attacks are financially-motivated.
Security expert Ayers was surprised by the turn of events, tweeting: "Doesn't the NZX have DDoS protection?"
Spark had no further comment last night but is expected to give more information this morning.
Some DDoS attacks are executed for kicks, to prove a hacker's chops; some are politically motivated; others have criminal intent.
They have been out of the headlines for a couple of years, as hackers have turned more toward ransomware attacks that see data encrypted then a sum demanded for its release.
The Russian DDoS attack covered by the Cert NZ warning is variously known as "Fancy Bear" or "Cozy Bear".
The GCSB says it has prevented $100 million in harm from cyberattacks since 2016, and its cyberattack defences extend to un-named private sector players - but a spokesman said this morning it treats incidents as commercial in confidence to encourage organisations to disclose attacks.
'Serious attack on NZ infrastucture'
AUT computer science professor Dave Parry said, "This is a very serious attack on critical infrastructure in New Zealand. The fact that this has happened on a second day indicates a level of sophistication and determination which is relatively rare.
"DDoS attackers normally infect large numbers of 'innocent' computers with malware, turning them into 'bots' that can be instructed to keep trying to access the affected site. It's like large numbers of people all shouting at you at once – you can't distinguish the real messages from the false ones.
Normally there are two main ways to react, Parry said:
• Shut down the 'bots' – often by getting users to update security patches and delete the malware.
• Block the IP addresses of the 'bot' machines using a firewall - blacklisting - so that the NZX site doesn't have to deal with them.
"Because this is coming from overseas, the first option is difficult although there will be communication with legitimate ISPs and governments overseas. For the second option, Spark will be looking at network traffic to identify sources and block them. Sophisticated attackers will be changing the IP addresses of the attacking computers, potentially via Virtual Private Network (software, turning them on and off and also adding new ones).
"The GCSB will be involved along with Cert in trying to identify the source of the attack. Unfortunately, the skills and software to do this are widely available and the disruption of Covid and people working from home all over the world potentially with lower security on their computers means that these attacks are easier than usual."
Communications Minister Kris Faafoi said the NZX attack did not bear the hallmarks of a state actor, according to advice he had received today.
But Parry responded that state-backed hackers often mimicked the behaviour of private hackers.
Parry added, "These sort of attacks can be mounted by governments or private criminal gangs. Recently, Australia has pointed the finger at the Chinese government for similar attacks; the Chinese government has strongly denied this. As yet, there is no evidence that this attack is by an overseas government. Criminal gangs, especially if they are based in poorly-regulated countries, can use these attacks to demand ransoms.
"This is not an issue around New Zealand computers being vulnerable to security breaches, but it is worth checking that anti-virus and security patches are up to date, and that people running websites, etc. notify their ISP if there is unusual activity."
What is a DDoS attack?
Security company NortonLifeLocks says criminals prepare for a DDoS attack by taking over thousands of computers. These are often referred to as "zombie computers". They form what is known as a "botnet" or network of bots. These are used to flood targeted websites, servers and networks with more data than they can accommodate.
A volume-based or "volumetric" DDoS attack, which was apparently the variant that hit the NZX, sees massive amounts of traffic sent to overwhelm a network's bandwidth, NortonLifeLock says.
The company says a DDoS attack has to be repelled at the internet service provider level (often this involves temporarily blocking traffic from certain IP addresses).
But it is also a good idea to keep your security software up to date so your PC does not unwittingly become part of a botnet attack.
The NZX did not immediately respond to questions about whether it had received any extortion demand, whether its communications setup involved multiple providers for redundancy, and what steps were being taken to avoid another attack.