New Zealand spy agency to defend stock exchange from cyber attack

Government treating matter seriously as hackers disrupt market for fourth day

Grant Robertson, New Zealand’s finance minister, delivers the budget at parliament in Wellington.
Grant Robertson, New Zealand’s finance minister, delivers the budget at parliament in Wellington.

New Zealand called in its spy agency and activated security crisis plans to help defend the stock exchange from overseas attack after hackers disrupted the market for a fourth straight day.

"We as a government are treating this very seriously," finance minister Grant Robertson said Friday, adding agencies would coordinate to deal with the threat. "There are limits to what I can say today about the action the government is taking behind the scenes due to significant security considerations."

The NZ$204 billion (€114 billion) stock market has been the target of distributed-denial-of-service attacks that have overwhelmed its website and forced trading halts since Tuesday. The national security plan is triggered in response to a crisis that threatens New Zealand’s interests or international reputation.

Authorities haven’t commented on the suspected source of the attacks, which flood a network with internet traffic and disrupt services, other than saying they originate from offshore.

READ MORE

Security intelligence company Akamai warned earlier this week that extortionists claiming to be the Russian-linked hacking group Fancy Bear have recently been sending ransom letters to companies in finance, travel and e-commerce in the Asia Pacific, US and UK demanding payments to stop attacks.

New Zealand stock exchange operator NZX is among the companies targeted, the ZDNet website reported, citing an unidentified source in the DDoS mitigation field.

The exchange failed to open at 10am this morning despite assurances from NZX that it would. Trading finally began three hours later at 1pm. The market lost an hour of trading on Tuesday, three on Wednesday and almost six hours yesterday from the repeat attacks. NZX has declined to comment on whether any demands have been made.

The disruptions, which come as the benchmark S&P/NZX-50 index nears a record high, are frustrating investors who were unable to trade amid a busy company earnings season.

The outages are “hugely disruptive for everyone,” said Michael Midgley, chief executive officer of the New Zealand Shareholders’ Association.

“Our main concern, aside from any attempted incursion, is that it is potentially damaging to information flows. In the Covid world the audience is keenly watching to see how reported data relates to forecasts.”

In November, government cyber security agency CERT NZ said it had received reports of extortion emails targeting companies within the financial sector in New Zealand. It said the emails claimed to be from a Russian group called “Fancy Bear/Cozy Bear” and demanded a ransom to avoid denial-of-service attacks. CERT declined to comment on the NZX incidents.

Fancy Bear is another name for the Russian hacking group APT28, which has been linked to attacks against the US Democratic Party, the White House and Nato. Security experts have also linked it to attacks on European government institutions and private companies and say its primary mission is to gather intelligence in support of the Russian government.

The group sending ransom emails is highly unlikely to be the real Fancy Bear, but is using its name to gain notoriety, according to Yihao Lim, a cyber threat intelligence analyst at Mandiant Threat Intelligence in Singapore.

“It’s plausible that they are cyber gangs calling themselves Fancy Bear involved in this incident,” he said.

The Financial Markets Authority, which regulates NZX, yesterday said it was monitoring the incident. It didn’t immediately respond to requests for further comment today. Spark New Zealand, which is NZX’s Internet service provider, also didn’t immediately reply to e-mailed questions.

When asked Friday if it had received ransom emails threatening attacks, Australia’s ASX said that as a matter of policy it doesn’t “comment on specific cyber-related matters”.

“We have a range of security protections in place and work closely with government and relevant agencies to maintain the integrity of our services. ASX markets are operating normally,” it said. - Bloomberg