The NZX and its connectivity provider, Spark, could be locked in an "arms race" with an unknown enemy after repeated cyber attacks forced a halt to share trading.
And the latest step seems to have involved drafting in a big gun.
Although it has yet to confirm the move, publicly-searchable configuration information indicates the NZX has moved its domain nzx.com to Akamai Technologies, the multinational content delivery network. The website for the bourse is still served up from a content delivery network run by Red Shield in Wellington.
The move comes after Australian security commentator Catalin Cimpanu said a source in the security industry had told him a group of "DDoS extortionists" was behind the attacks on the NZX.
The group, which demands a ransom paid in bitcoin to lay off its attacks, is said to be imitating a Russian group sometimes known as Cozy Bear. The group is said to also be responsible for attacks on money transfer service MoneyGram, YesBank India, PayPal, Braintree, and Venmo this week.
A DDoS attack involves a mass of hijacked computers trying to access a site at once, overwhelming it. Late last year, Crown cybersecurity agency Cert NZ warned that a group posing as Cozy Bear was targeting NZ financial institutions, as well as others around the globe.
The NZX and Spark have refused to say if extortion is involved. Cert NZ and the GCSB say they won't comment on individual cases, for fear of inhibiting organisations from reporting future attacks (although the NZX did acknowledge in a statement that it is working with the GCSB).
Meanwhile, brokers and investors are counting their losses as the stock exchange battles to take control of the situation.
"With the market open for small amounts in the day, you can transact a fair chunk of the order flow [but] outages during the day have a big impact on trading and daily activity which goes on," said Neil Paviour-Smith, managing director at Forsyth Barr.
"Prolonged outages do have an impact on the confidence in the resilience [of the market] and that is something we all will be keen to hear about once they fix this issue up and we can reflect on it and understand exactly what's happened here."
AUT computer science professor Dave Parry expressed surprise the stock exchange remains a target for cyber attackers.
"I'm surprised that this has happened again - normally these are relatively short events," Parry told the Herald after the NZX was hit by apparent DDoS attacks for a third day in a row.
"I don't feel that this is necessarily a failure by NZX or Spark," he said.
"Attacking more than once is relatively rare.
"The attacker will have to be making changes in their attack to get past the defences that have been set up. It's normally easier for them to move on to another target.
"There is an 'arms race' between the defence and the attacker. The attacker has an advantage in that they can choose when and what to attack and how to do it. Spark will be reacting to this but it is quite possible that the specifics of this attack have not been seen before and each day will be different."
In a statement this morning NZX said it had to halt trading at 11.10am on its cash markets, due to a systems connectivity issue.
"NZX is continuing to work with its network provider [Spark] to investigate the source of the issue, following volumetric DDoS (distributed denial of service) attacks from offshore on 25 and 26 August."
Yesterday, NortonLifeLock expert Mark Gorrie said the repeated attacks could indicate an extortion attempt, and Crown agency Cert NZ earlier issued an alert that a possibly Russian cybercriminal gang, going by various monikers including "Fancy Bear" was targeting NZ financial institutions, as well as international targets.
Parry says while extortion is possible, "My hunch is that it's more to demonstrate ability by the attacker.
"I think it is unlikely that NZX would pay. It's too public, and too linked to Government regulation. However, attackers often sell their skills to extortionists so this would be a demonstration that the attacker can pull off a difficult attack. So if an extortionist goes to a different target, they can say 'we are working with the people who attacked NZX, pay us or we will attack you.'"
NZX and Spark declined detailed comment. Red Shield boss Andy Prow said, "NZX is a customer and therefore I cannot talk about any specifics.
"I can say that we do shield many web-apps for them including NZX.com, which was made public in the news this evening.
"I can also say that the attacks to date have been DDoS attacks focused on its network infrastructure.
"None of the attacks or disruptions so far have been caused by attacks that have gone through RedShield. There are of course teams at NZX, RedShield and other providers watching closely 24x7 both in NZ and overseas monitoring the situation continuously."
In the dark and not happy
One broker, who did not want to be named, said when the issue was resolved the market would want to know whether this was such a severe attack that the impact could not be prevented, or whether Spark or NZX was not properly prepared.
"Is this such an overwhelmingly aggressive attack that even with a high level of security in place it still would have an impact, or has this arisen because they haven't invested or tested things as much as they should have."
Many of the major NZX companies were also on the ASX and the outages were probably causing trading to drift across the Tasman.
Another investment chief questioned why international cyber criminals would target the world's smallest stock exchange.
While NZX had made it clear what the issues were they still had been unable to resolve it.
A major concern, he said, was the MSCI rebalancing on Monday which would normally more than double the amount of volume going through the market.
"There's a fair amount of sympathy for the NZX but everyone wants to know what on earth is going on."
Shane Solly, senior portfolio manager at Harbour Asset Management, said: "Certainly it's disruptive, but I'd expect the exchange and the broking community will pick up the activity pretty quickly once service is resumed.
"Other than not helping with price setting on a busy day for company results it's not causing liquidity problems for institutional investors at this stage."
With reporting by Juha Saarinen.