A series of DDoS attacks has kept the New Zealand stock exchange offline for four consecutive days. It was set to re-open this morning but failed to do so, despite assurances it would. Trading finally resumed at 1pm local time. The likely attack source is said to be Fancy Bear, a Russian-linked hacking group with the above-average DDoS skills needed for this type of attack.
DDoS Attacks Knock NZ Stock Exchange Offline
The Wellington-based NZX-Exchange halted trading on Tuesday 26 August at approximately 3:57 pm. In a statement, the stock exchange said that it had faced a volumetric distributed denial of service (DDoS) attack via their network provider that impacted NZX’s connectivity.
On Wednesday, hackers struck again. The disruption was similar to Tuesday’s attack and affected NZX’s websites and their Markets Announcement Platform. Therefore, NZX once again decided to halt trading in its cash markets around 11:24 am. The disruptions severely frustrated investors, as the market was nearing a record high. Trading didn’t resume until 3 pm.
Unfortunately, network connectivity issues relating to the earlier attacks continued, forcing NZX to make the decision not to re-open on Thursday and focus on addressing the situation instead. “We continue to address the threat and work with cybersecurity experts, and we are doing everything we can to resume normal trading tomorrow (28 August)”, their statement said.
4 Days of Disruptions
Despite an announcement early on Friday saying that NZX’s markets would open as normal, the exchange failed to re-open. Trading finally resumed three hours later at 1 pm local time. All in all, the market had lost an hour of trading on Tuesday, more than three hours on Wednesday, almost six hours yesterday, and three hours today.
NZX is working with their network service provider, Spark, and national and international cybersecurity partners, including New Zealand’s Government Communications Security Bureau (GCSB), to address the cyberattacks. The motive of the attack remains unclear, and NZX declined to comment on whether the attackers were demanding a ransom. Some experts believe that this might just be a training attack before the cybercriminals go after more valuable targets. Cyberattacks are uncommon in New Zealand, in contrast to neighboring country Australia, who has seen an increase in cyberattacks in recent months.
A DDoS attack is relatively simple to launch, but not so simple to protect against unless the target uses specific solutions. Because the attacks are performed by a large botnet, which uses many different IP addresses, internet service providers cannot simply block the IP address. This is because there are too many of them.
Fancy Bear May be Responsible
Late last year, the government’s cybersecurity agency, CERT NZ, warned the sector that they had received several reports about ransomware campaigns targeting companies within the financial sector. “The cybercriminals claim to be Russian Advanced Persistent Threat (APT) group ‘Fancy Bear / Cozy Bear’ and demand a ransom to avoid DDoS attacks. They carry out a short DDoS against a company’s IP address to demonstrate intent.”
The identity of the cybercriminals who targeted NZX has not yet been confirmed. What is known, is that they originate from overseas. However, it is difficult to track them down, as hackers tend to hide their IP addresses. Fancy Bear, thought to be operating since the mid-2000’s, is classified as an APT. APTs usually use zero-day exploits, phishing campaigns and malware to compromise their victims.
Fancy Bear (aka APT28) and the lesser-notorious Cozy Bear (aka APT29) are both linked to Russian intelligence agencies. The Mueller investigations (PDF) named some of Fancy Bear’s member hackers. One of them, Dmitriy Sergeyevich Badin, 29, from Kursk, who is believed to be living in Moscow, is being sought by German officials for a cyberattack on the German Bundestag in 2015. In July 2020, Cozy Bear was accused of stealing coronavirus vaccine information from the US, Canada, and the UK.