The head of the Telecommunications Users Association of New Zealand says the attacks on the NZX are highly unusual and serve as a good reminder for corporates to make sure their defences are up.
The stock exchange suffered trading halts last week and disruption yesterday for a fifth day, after denial of service attacks took its website offline.
The NZX markets opened at 10am today and trading was under way as usual during the morning with the NZX website also functioning without interruption.
The minister overseeing the country’s spy agencies, Andrew Little, said the NZX was sent messages warning of the attacks.
Telecommunications Users Association (Tuanz) chief executive Craig Young said the attack is embarrassing for the NZX.
“Most corporates are prepared for these types of attacks and it seems, in this case which is highly unusual, that the attackers have found a vulnerability in the NZX site and are therefore continuing to have another crack at it each day.”
“This is a financial institution that we rely on and they have high-profile suppliers. It’s quite unusual for these sorts of attacks to occur over multiple days.
“Usually what happens is they have a go, get repulsed, and they move on. They get bored very quickly and look for another target. In this case, they’ve found a vulnerability that they keep having a go at.”
Young said it’s a good reminder to New Zealand that, while we think we’re isolated and far away from the rest of the world, we’re only microseconds away online.
“These types of cyber-criminals will work anywhere in the world where they see a vulnerability, whether it’s New Zealand or somewhere else.”
He said New Zealand is seen as a bit of an easy target and can be used to launch attacks from.
“It’s a scary thought but it’s not actually people in New Zealand who are doing it, but they are using our systems and going through our networks to get to those places.”
Corporates should heed what’s happened with the NZX and use it as a timely reminder to look at their own defences, Young said.
Unlike many other countries including the UK and Australia, New Zealand has no mandatory reporting of cyber attacks so we often don’t know when corporations are hit.
“What’s unusual about this one is that it’s highly public and we’re seeing the impacts of these attacks,” Young said.
Lech Janczewski, a data security expert at the University of Auckland, said New Zealand could be a target because of recent coverage of our Covid-19 response that’s put us in the spotlight.
“Why not test some software attacks against this country and announce to the world that we’re so good at attacks so they can ask for some money.”
Janczewski said the cyber criminals can use the attack as leverage for their next target to demand a ransom.