Why a sudden surge in cyber-attacks?
It could be yet another problem we can pin on the pandemic.
Experts see a link with New Zealand's level 4 lockdown.
Yesterday DDoS (distributed denial of service) attacks rendered Kiwibank, ANZ, NZ Post and MetService's sites inaccessible for large parts of the morning. The NZ Police website also had brownouts. For Kiwibank it was a repeat of problems experienced on Friday. ANZ has suffered fresh problems today.
"It would seem that because our situation in level 4 is as well known throughout the world, and that we are relying more on our digital services, particularly with banking, it makes sense for cyber-criminals to target those services - presumably believe that they could demand a higher ransom or that a ransom might be more forthcoming," said AUT senior lecturer in software engineering Ken Johnson.
Peter Bailey, GM of homegrown IT security outfit Aura (recently bought by Kordia) had a related theory.
It would be so easy to describe the DDoS "attack" in NZ relevant terms. Why can't the media just report it that way? pic.twitter.com/GwXfIWCum7— Peter (@plambrechtsen) September 8, 2021
"We've seen a lot more DDoS and ransomware attacks over the last year than we've seen in the past. And there's speculation that it could be partly because we've been in the international press, with coverage about how well we've done with Covid. So we've come to the notice of attackers with our stronger economy - and they want to give us a bit of a go."
Bailey also has a second theory that's less flattering to NZ.
"There's also been talk over the last couple of years that as the US gets a lot stronger in cyber defence, the attackers are looking for countries that are less prepared. And, you know, New Zealand is one of those that's come up on the list that they're quite interested in," he said.
Theta head of cyber security Jermey Jones agreed that increased digitisation with Covid - while a net positive overall - made us a juicer target for hackers.
He added, "The price of delivering a large DDoS attack has never been cheaper or easier to deliver. Generally in these cases, it is simply extortion: 'Pay us some bitcoins or we'll turn you off'. (None of the sites affected so far had made any detailed comment on the attacks by press time. Kiwibank and ANZ would not even confirm if a cyber attack had caused their outages, let alone if any ransom had been involved or paid.)
Whatever the reason, NZ is being disproportionately targeted for DDoS attacks, according to US security company Imperva, whose 2021 DDoS Threat Landscape Report says we are the sixth-most targeted country - albeit in the context of the US drawing easily the most fire.
Last year, cyber-attacks worldwide escalated as security holes were opened by workforces scattering to home offices, just as organised crime groups - starved of many of their usual money-making activities by lockdowns - turned to online shakedowns.
Australia reacted to that development, plus a rise in cyberattacks by state actors, by throwing billions more at cyber-security, while NZ's response, including a noticeably muted ICT spend in Budget 2021, could be measured in the order of tens of millions.
No data at risk
Some brighter news: AUT's Johnson said that while yesterday's attacks were an annoyance, and would have been a business cost for many, no data was ever at risk.
"A DDoS attack floods a website with connection requests that make any legitimate request from a customer get lost in the mix."
But while it effectively renders a website inaccessible to its regular users, there is no attempt to "break in" and steal or encrypt data.
"They block entry. There's no attempt to access the system itself," he said.
On social media, some said a DDoS attack could be a distraction, while a ransomware attack is also deployed, and a grab made for data. Johnson says that theory doesn't add up though. "A DDoS attack exhausts all of a site's resources," he said. It leaves no way to access it, and that includes baddies.
Preparing for the worst
Bailey says that while rank-and-file staff can do their bit to help stop ransomware sneaking into a network - by constantly changing passwords, and being suspicious of email attachments and so forth - stopping a flood of bots is really something that can only be done by the IT department, working with internet and security partners.
Yesterday, the Government's Computer Emergency Response Team (CERT NZ) said it was aware of a series of DDoS attacks. "We are monitoring the situation and are working with affected parties where we can," the agency said. (The GCSB's National Cyber Security Centre declined immediate comment, saying any comments in the media could tip its hand to hackers.)
Stopping a DDoS attack is a matter of spotting the IP (internet protocol) address that floods of bot-connection requests are coming from, then blocking them (the addresses don't reveal the location of the attacker - and no one has any idea yet in the case of yesterday's attacks - but rather various PCs around the world that have been taken over by malware, then been turned into "zombies").
But MetService got dibs from Bailey and Johnson for being able to almost immediately stand up a backup site yesterday morning - then directed its users there via social media. After it suffered DDoS attacks last year, NZX eventually implemented a similar measure so it could keep getting market announcements to investors in real-time in the event its main site suffered another DDoS attack (as with any event, NZX's trading system and data were never at risk; it was the fact that its website was forced offline, meaning it could not post simple market announcements so companies could meet continuous disclosure rules) that forced the exchange to suspend trading.
Johnson noted that while Metservice's backup site (/www2.metservice.com) lacked the bells and whistles of its regular site, and that the approach might not be suitable for every business, it was a solid prepare-for-the-worst strategy.
"If you are providing alternative access to the services that your customers demand, and your business can keep running, then ultimately, it's a good plan."
"The complexity and size of these attacks means there is often collateral damage and different organisations being served by the same ISP can be affected, too," Jones said.
"One learning point here is that our design and operation of online services needs more industrial levels of DDoS protection.
"Another is that ISPs are often too slow to provide adequate protection to their customers. These attacks are large, sophisticated and fast-moving, but if your day job is delivering network services to entire populations you should know that and have the means to detect it and do something about it."