How a Dated Cyber-Attack Brought a Stock Exchange to its Knees

February 5, 2021 by

The website of the New Zealand Stock Exchange slowed to a crawl on a Tuesday afternoon in August. It was so badly throttled that the exchange couldn’t post market announcements, as required by financial regulators. So with an hour left for trading, management shut the entire operation down.

It didn’t take long to figure out what happened. The website had been overwhelmed by a tsunami of offshore digital traffic. An email from the perpetrators made clear that it was a malicious attack.

NZX Ltd, which operates the exchange, restored connectivity ahead of the next trading day. But the attacks resumed once the market opened, forcing more trading suspensions over the nextfew days.

When the exchange finally moved its servers out of the reach of the digital bombardment – to cloud-based servers – the attackers began targeting the exchange’s individually-listed companies. In the end, trading at NZX was stopped for four days, with “only intermittent periods of availability,” according to a government review.

“You wouldn’t wish this on your worst enemy,” NZX Chief Executive Officer Mark Peterson told a local newspaper.

NZX was hit with the cyber equivalent of a mugging, a crude and dated style of hack that John Graham-Cumming, the chief technology officer at the cybersecurity firm Cloudflare, described as “the simplest, dumbest attack you can do.” Known as a distributed denial of service, or DDoS for short, such attacks inundate a computer network or server with so much traffic that it can become overwhelmed and stop functioning.

DDoS attacks have been around for decades even though the cybersecurity industry has largely figured out how to withstand them. Nevertheless, they have endured and grown because they are relatively easy to pull off compared to actual hacks of computer networks and the explosive growth of internet-connected devices has given hackers an edge in launching attacks.

Also, many companies and organizations, such as NZX, don’t bother taking the necessary precautions.

“The reason they persist is people think they will never be a victim,” Graham-Cumming said.

This account is based on interviews with more than a dozen cybersecurity experts in New Zealand and elsewhere and provides new details about an attack, including boastful notes from the attackers and glaring cybersecurity deficiencies at NZX. A report released on Jan. 28 by New Zealand’s financial markets regulator reinforced those findings, blasting NZX’s failure to prevent the DDoS incident and accusing officials of a “lack of willingness to accept fault.”

NZX was targeted as part of a DDoS campaign that began last year and was striking in its global ambition. More than 100 companies and organizations around the world have so far felt its force, including Travelex in the U.K., YesBank in India and New Zealand’s meteorological service, according to cybersecurity researchers and the companies themselves. None suffered the impact of NZX.

Travelex didn’t respond to messages seeking comment, nor did the meteorological service. YesBank said the attack “wasn’t material” but provided no further details.

The attacks have followed a familiar pattern, according to cybersecurity experts. Potential victims receive an email often personally addressed to the chief IT officer. It lists a Bitcoin address and a demand for what has typically been about $200,000. The attackers promise discretion for those who pay to “respect your privacy and reputation, so no one will find out that you have complied,” according to copies of the emails reviewed by Bloomberg. Cybersecurity firms report that companies targeted months ago are being sent new extortion emails, reminding them to pay the ransom or risk an attack.

The attackers, believed to be based in eastern Europe, have variously identified themselves in the emails as Lazarus, FancyBear and the Armada Collective — all names of infamous hacking groups, according to the emails and cybersecurity experts.

“We absolutely assume it is one entity. Every aspect of the campaign is absolutely similar,” Hardik Modi, the Washington-based senior director of threat intelligence at cybersecurity firm NetScout Systems Inc., which is based in Massachusetts. “I run a research team and I feel like we’re up against a research team where the level of devotion is uncommon. That’s why it’s caught our attention.”

Since NZX was temporarily shut down, the attackers have used it to establish credibility with new targets. Emails delivered in the weeks and months afterward contained some variation of this warning: “Perform a search for NZX or New Zealand Stock Exchange in the news, you don’t want to be like them, do you?”

Financial exchanges have halted trading for a variety of reasons over the years, from squirrels chewing through power lines to wars. In October, for instance, exchanges on three continents cited technical issues for shut downs, with the all-day halt at the Tokyo Stock Exchange being the worst in its history. Similarly, the 10-hour outage at the Bolsa Mexicana de Valores was the longest blackout in its recent history; Euronext NV shuttered trading for three hours.

Officials at NZX declined to comment for this story but have told financial regulators that the magnitude of the attack was unprecedented and couldn’t have been foreseen. The Financial Markets Authority, in its report, wasn’t buying it: “Many other exchanges worldwide have experienced significant volume increases and DDoS attacks but we have not seen any that were disrupted as often or for such a long period.”

NZX, and much of New Zealand suffers from a general lack of awareness about cyber risks and doesn’t spend enough on security, said Jeremy Jones, head of cybersecurity at IT consultancy Theta in Auckland.

“There’s a reason why New Zealand is a very juicy target for this,” he said. “The country is highly digitized and so dependent on the internet and cloud services. But historically, we’re at least 10 years behind the U.K. and Europe on general cybersecurity measures in the commercial space.”

Unlike a traditional hack, in which an attacker finds a way into a computer network to steal information or lock up files and demand payment, a DDoS attack is simply a blunt-force assault — directing more useless data at a company or organization than it can handle.

A common type of DDoS attack involves summoning a network of internet-connected devices — from laptops and servers to IoT devices such as DVRs and baby monitors — that have been infected with malware. The group of devices is known as a botnet, effectively a robot army, which the attacker can commandeer to do their bidding by sending directions to each device, or bot, according to Cloudflare. More often than not, the devices’ owners have no idea their machines have been hijacked.

When hundreds of thousands of devices are focused on a single target, like a server or a network, they can overwhelm the systems’ capabilities. It’s one reason, for example, why streaming services for popular television shows crash when millions of viewers are trying to download an episode at the same time. This is the ‘denial of service’ element of the attack.

In the decades since the first widely acknowledged DDoS attack in 1999 — on a single computer at the University of Minnesota — DDoS attacks have grown in size, sophistication and regularity, due in part to the growth of the internet and devices connected to it. In the first half of 2020, there were 4.83 million DDoS attacks, up 15% from the year before, according to NetScout. In the month of May alone, the firm recorded 929,000 DDoS attacks.

In 2017, in what is believed to be the largest DDoS attack yet, Google said nation-state hackers launched a six-month assault on its servers, reaching a size of 2.54 terabits per second. A terabit is a thousand times faster than a gigabit, which transmits data at a billion bits per second. In a blog post, Google said the attack didn’t cause a disruption.

There are various ways companies can beef up their cyber defenses against DDoS, including having enough bandwidth to absorb any deluge of junk traffic. They can also deploy layers of defenses, where each one protects the layer behind it, as Google said it did to block the attack on its network.

A few months after NZX was temporarily shut down, the attackers turned their attention to Telenor Norway, a telecommunications company whose security operations center is nestled in the seaside town of Arendal, the inspiration for the magical village of Arendelle in the Disney film “Frozen”.

About 80% of internet usage in Norway comes through Telenor Norway’s infrastructure, and the operations center normally bats away anywhere from five to 30 DDoS attacks a day. The October attack unloaded as much as 400 gigabits of data per second at the network — a fraction of what was thrown at Google but still enough to garner the full attention of a company Telenor Norway’s size.

In the end, service was disrupted for about an hour, though the attack lasted for three, said Andre Arnas, the chief security officer for Telenor Group.

Gunnar Ugland, the head of the security operations center in Norway, quickly recognized the parameters of the October attack as it was happening — only a few weeks earlier his tech team had written about the NZX attack in the company newsletter. The company had also had previous experience with major DDoS attacks and had built “quite a massive infrastructure” to deal with the digital disruptions, he said.

“It’s not always easy to talk openly about these issues because it shows when you have to be able to be open to discuss the threats and the risks,” Ugland said. “There’s a lot of companies that do not have DDoS specific defenses and will probably have a bigger problem for a much longer time.”

In New Zealand, the DDoS attack has prompted a fair bit of finger pointing, as well as frustration that NZX wasn’t better prepared.

Jeremy Sullivan, an investment adviser based in Christchurch, said he could forgive a temporary glitch but not a dayslong outage, which delayed the processing of orders. “A DDoS attack is the equivalent of walking into a bank with a hammer and demanding money, it’s pretty crude. The fact that they didn’t have defenses against that was obviously disappointing,” he said.

Some cybersecurity researchers, meanwhile, say they believe they know what caused the initial spate of attacks — NZX’s reliance on two local servers with not nearly the bandwidth to handle a major DDoS attack. The exchange was in the process of moving to cloud-based servers as part of a long-planned update when the attack hit.

Losing access to those servers “means that eventually the company ceases to exist on the internet,” said Daniel Ayers, a New Zealand-based IT security and cloud consultant, who communicated with NZX staff during the outage. “Email can’t be delivered, web addresses can’t be resolved.”

Worse yet, Ayers said, those servers didn’t have nearly enough DDoS protection once the attack got underway.

The Financial Markets Authority described NZX’s technology, staffing and preparations for a crisis as insufficient. It said a DDoS attack was “foreseeable,” and “should have been planned for.” Indeed, similar extortion emails had been sent to New Zealand firms during 2019 carrying threats of action similar to what NZX sustained in August 2020, according to the regulator.

Regardless, the DDoS attack on NZX has made one thing clear: New Zealand’s days of acting as if it is a “safe haven like Hobbiton” are over, said Andy Prow, the chief executive officer of the Wellington-based cybersecurity firm RedShield Security Ltd, referring to the idyllic home for Hobbits in the “Lord of the Rings.”

“We’ve literally joined the rest of the world,” he said. “New Zealand is being hammered as badly as everyone else.”