Accessible News

Top storiesNew ZealandPoliticsBusinessEntertainmentSportsWorld

GCSB examining extortion email sent to NZX ahead of DDoS attack

Wednesday, 2 September 2020

GCSB Minister Andrew Little says making it illegal to pay cyber criminals is a policy that could be considered but he does not believe that would be a panacea.
GCSB Minister Andrew Little says making it illegal to pay cyber criminals is a policy that could be considered but he does not believe that would be a panacea.

GCSB Minister Andrew Little says the only clues the country’s spy agency has to go on in tracking down the source of recent cyber attacks on New Zealand are emails sent to some victims ahead of the assault.

NZX had received an email that put it “on notice” shortly before it was targeted by a DDoS (distributed denial of service) attack that took down its website for six days, he said.

It is understood that the email sought a large ransom in Bitcoin.

Attackers have also interrupted the online services of Westpac and MetService, and targeted Stuff and Radio NZ, though it is not known if all those attacks were on the same scale or by the same group.

**READ MORE:

* MetService website crashes again following DDoS cyberattack

MetService is the latest to succumb to an attack. (File photo)
MetService is the latest to succumb to an attack. (File photo)

* Victim-blaming plays into DDOS attackers' hands

* Govt spy agency has 'no clues' on source of cyberattacks on NZX

* Five Eyes cybersecurity agencies will be involved in fight against NZX cyberattackers

DDoS attack on NZX is understood to have peaked at more than 1 terabit a second, making it one of the largest on record.
DDoS attack on NZX is understood to have peaked at more than 1 terabit a second, making it one of the largest on record.

**

The Government Communications Security Bureau (GCSB) was examining communications from the DDoS attackers, Little said.

But he said he did not know whether that would provide enough clues to track down their identity.

“I spoke to the GCSB last week and they said they are working on it but the nature of these things with these incoming emails is it is easy to disguise originating internet protocol addresses,” he said.

“They have got to just work through it and they will work with the partner agencies in other countries as well.”

It is understood that attackers at one point deluged NZX with more than a terabit a second (Tbps) of spurious data.

That makes the DDoS attack one of the most intense on record, globally.

The biggest reported DDoS attack in history peaked at 2.3Tbps on a customer of Amazon Web Services in February, which the United States cloud computing giant successfully defended.

The attacks in New Zealand appear to be part of a global DDoS campaign first threatened by a group posing as Russian cyber espionage group Fancy Bear in October last year.

But Little believed the attacks were financially motivated rather than the work of a “state actor”.

Little said it was “never ethical” to pay ransoms.

“In most cases DDoS attacks come from criminal origins and it is unethical to be encouraging or facilitating that criminal activity,” he said.

Little said he would look into why there was no clear rule barring public sector organisations from paying ransoms.

The National Cyber Policy Office adopted a policy in 2017 recommending organisations did not pay ransomware demands but that is not mandatory.

Little said the Government might explore making it illegal to pay or to facilitate the payment of cyber ransoms as suggested by a growing number of cyber security experts.

A 2019 survey by US-based AT&T Cybersecurity of 145 information technology professionals found 40 per cent believed it should be illegal to pay ransomware demands, to reduce the motivation for such attacks.

But Little did not believe that would be a panacea.

“It is something worth looking at [but] there is a practical question,” he said.

“You are dealing with people's behaviour at desperate times. I would rather we focused on the technical means to prevent and detect.”

The Government might take a fresh look at cyber security policy and institutions, he indicated.

“We have a lot of organisations set up for reactive purposes but I think there is a need for a broader NZ Inc digital strategy to deal with cyber threats and other matters as well,” he said.

“We do need a proactive forward-thinking approach to our total digital strategy including cyber security.”

The Department of Internal Affairs had some responsibilities in the area, he noted.

“But I think there is a bigger job in terms of getting that up the agenda and getting a conversation going across corporate New Zealand and New Zealand as a whole.”