New Zealand Calls In Spy Agency To Deal With Exchange Attacks

New Zealand has called in its intelligence agency after hackers disrupted trading on its stock exchange for the fourth day running, emphasising the unprecedented nature of the attack.

Exchange operator NZX initially said trading would open as usual on Friday morning, but called a halt minutes later due to continued disruption. Trading finally resumed at 1 p.m. New Zealand time.

The attacks began on Tuesday and come from a source the government has only said is “offshore”.

NZX said the attacks targeted its market disclosures platform, forcing it to halt trading in order to ensure market integrity.

Spy agency

It said in a statement it has been working with its network service provider and national and international cyber-security organisations to address the attacks on the NZ$204bn ($135.5bn) exchange.

New Zealand finance minister Grant Robertson said the GCSB spy agency had been brought in to work with NZX, given the exchange’s significance to the country’s economy.

The disruption has been caused by distributed denial-of-service (DDoS) attacks, which bombard networks with large volumes of traffic, overwhelming their ability to function.

Industry watchers said the attacks are unprecedented in the level of disruption they have caused.

“The incident in New Zealand underscores the threat of disruption to critical financial infrastructure,” said John Hultquist, senior director of analysis at Mandiant Threat Intelligence.

“Destructive or disruptive attacks against exchanges could have cascading effects across the economy and ultimately this approach may be more successful than attacks on the energy sector and other industries.”

Hultquist noted that Iranian hackers have previously carried out such attacks on the financial sectory, but did not target exchanges or succeed in seriously disrupting major financial-sector processes such as securities trading.

Ransom

NSX and the New Zealand government declined to comment on what they believe the source of the attack to be or whether ransom demands have been made, other than to say the attacks originated from outside the country.

Some industry watchers speculated the incident may be the work of a state-backed hacking group.

However, tech news website ZDNet reported that the attacks were being carried out by a threat group identified by cloud services company Akamai earlier this month.  The site cited an unnamed source within the security industry.

The same group also carried out attacks on money transfer service MoneyGram, YesBank India, Worldpay, PayPal, Braintree and Venmo last week, ZDNet cited its source as saying.

Akamai’s report identifies a previously unknown threat group that has sent ransom demands to organisations in the finance industry, as well as travel and e-commerce firms.

The ransom letters claim to originate from well-known hacking groups such as the Armada Collective or the Russian state-backed Fancy Bear group, Akamai said.

However, Akamai’s researchers said they believe the attackers may be copycats using the reputation of other groups to prompt a quick payout.

“The Akamai SIRT suspects the extortion demands are originating from copycats using the reputation of known attack groups as a means of intimidation in order to expedite payment,” the company said in its advisory.