Publicly listed companies on NZX face cyber attacks

NZX was the focus of a prolonged cyber-attack earlier in the year. Photo / File

By Emma Hatton of RNZ

The target for cyber attacks has shifted from the New Zealand stock exchange to the companies listed on it.

Some of New Zealand's biggest companies have been hit by DDoS - or distributed denial-of-service - attacks from what is likely to be the same group that targeted the NZX website last month.

RNZ has confirmed the attacks with several listed companies that have been affected in various ways in the past week.

The Government Communications Security Bureau (GCSB) hosted a large-scale meeting last week to address the issue, RNZ understands.

In a statement, a GCSB spokesperson said malicious cyber activity was continuing to target a range of organisations.

"We will not comment on the specifics of the malicious cyber activity observed, or the GCSB's operational response because we are aware that malicious cyber actors follow public reporting.

"We know that malicious actors sometimes refer to media reporting as a way of establishing their credibility and may change their behaviour towards organisations based on media reporting of their activity."

Companies - affected or not - are being advised to keep a low profile and make no public comments.

Some companies confirmed the attackers had made contact with them, while others only noticed their website down for short periods of time.

Cyber expert and Darkscope International director Bruce Armstrong said it was not surprising the attacks were continuing and it was more than likely done by the same group which targeted the NZX.

"They've been working their way through various countries finding large organisations that they can ransom and attack.

"Their pattern is: they'll contact the organisation, make a ransom request and then they'll do a sample which is usually a fairly low-level attack like half an hour ... then they turn the volume up."

Armstrong said New Zealand organisations generally did not pay cyber attackers, but the more companies targeted, the more likely it would be that someone paid.

"There will be some they hit that feel they can't bear the attack that will pay up and that will be enough of a return for their time spent working their way through those organisations."

"It's a US$6 trillion a year industry, so it's a massive industry and the people who are doing it are well trained, well paid and they turn up to work each day to work out how to steal money from people."

He said when mandatory reporting for such attacks comes in under changes to the Privacy Act on December 1, the true scope of such attacks would become clear.

"When [mandatory reporting] kicked in, in Australia in 2018 the number of reports increased seven-fold. CERT NZ has 200 reported cases a year ... so that's going to go to 1400."

He said reporting would help change the behaviour of organisations and make firms more aware of their risks and how to mitigate them.