Business Continuity Management / Disaster Recovery , DDoS Protection , Governance & Risk Management

New Zealand Stock Exchange Trades Again After DDoS

Trading Resumes Following Several Days of Difficulties
New Zealand Stock Exchange Trades Again After DDoS

The New Zealand Stock Exchange - NZX - resumed trading in the early afternoon on Friday after the impacts of distributed denial-of-service disruptions reverberated into a fourth day.

See Also: On Demand | Defining a Detection & Response Strategy

In a statement, the exchange said that its Main Board, Debt Market and Fonterra Shareholders' Market would resume trading at 1 p.m. The NZX’s main homepage was offline Friday morning, then came back online around midday local time.

Radio New Zealand reports the NZX was aided in its recovery by its ISP, Spark, and the Government Communications Security Bureau, which is the country's "signals intelligence" spy agency.

The DDoS attacks started on Tuesday. Plans to reopen the exchange on Thursday were cancelled when the NZX was struck with another attack it characterized as coming from “offshore.”

Citing an anonymous source, ZDNet reports that a well-known criminal group that extorts organizations into paying a ransom has been attacking the NZX. The group has borrowed the names Armada Collective and Fancy Bear for itself - the latter is the nickname for a group believed to be affiliated with Russia’s GRU intelligence agency - in a move that experts say appears to be designed to scare more victims into paying. ZDNet reports that just this week, the crime group has also attacked numerous other organizations in the financial sphere, including the money transfer service Moneygram, YesBank India and PayPal.

On Monday, Akamai, a large anti-DDoS services provider, said in an updated blog post that the so-called Armada Collective and Fancy Bear actors have been sending ransom letters to numerous organizations in the U.K., U.S., and Asia-Pacific region, threatening to target them with DDoS attacks unless they pay a ransom. "They are currently targeting multiple sectors, including banking and finance, as well as retail," Akamai says (see: Copycat Hacking Groups Launch DDoS Attacks).

The extortion demands delivered by whoever's behind this Armada Collective moniker start at five bitcoins ($57,000) and increase to 10 bitcoins ($114,000) if the deadline is missed, Akamai says. The fee then rises by five bitcoins per day. Ransom demands received from Fancy Bear, however, start at 20 bitcoins ($228,000) before rising to 30 bitcoins ($342,000) if the deadline is missed, adding 10 bitcoins a day, Akamai says.

“While most extortion demands of this type typically follow a set amount when it comes to ransom demands, the financial elements are subject to change based on the whims of the threat actors themselves,” Akamai says.

Akamai noted that “we are not aware of any instances where the threatened follow-up attack was initiated once the ransom demand deadline passed.”

CERT NZ Warning

New Zealand's government cybersecurity agency CERT NZ warned in November 2019 that financial services firms were being targeted by DDoS blackmail campaigns.

The companies had received emails from a purported Russian group “called ‘Fancy Bear/Cozy Bear’ … that demanded a ransom to avoid denial-of-service attacks,” CERT NZ said at the time. But the agency added that it doesn’t believe the DDoS attackers are actually affiliated with the nation-state APT groups of the same name.

CERT NZ says the attackers' MO, before targeting a company, is typically to identify a back-end sever that isn’t defended by DDoS protection systems. To make the threat seem more credible, the attackers will sometimes also conduct a 30-minute DDoS attack, it says.

A variety of protocols are used for these attacks, including HTTP, Network Time Protocol, Domain Name System, Web Service Dynamic Discovery, Apple’s Remote Management Service, Simple Service Discovery Protocol, Lightweight Directory Access Protocol and SYN and Internet Control Message Protocol, CERT NZ says.

“So far, CERT NZ and international partners have not seen the attackers follow through with the major attack on the deadline provided in the email,” the agency says. “We recommend you do not pay the ransom, as this could result in your company becoming a target again.”

Dry Run for Larger Attack?

NZX hasn’t commented about the suspected identity of its attacker. But the hobbling of the exchange’s trading has demonstrated that DDoS attacks remain unpredictable threats that could potentially threaten other exchanges.

"This may be a rehearsal of a major attack targeting NASDAQ [exchange in the U.S.] or LSE [London Stock Exchange] amid the craziness going on the global stock markets," says Ilia Kolochenko, founder and CEO of the web security company Immuniweb.

Stephen Manley, chief technologist at the cloud security firm Druva, notes: "While we don't know the motivation behind the attack, common causes include a new [hacker] organization making a name for itself, [attempting] extortion to stop the attack, or distracting the security team while a separate attack extracts secure data."

Manley says a relatively small botnet rented from a criminal group could have been used to wage the DDoS attack that took down the exchange.

"To execute a DDoS attack on the New Zealand Exchange, a 50,000 device botnet would likely be sufficient," Manley says. "It's been projected that a week of access to a 50,000 device botnet can cost as little as $1,500."

By comparison, CloudFlare estimated that some 600,000 devices were used in the 2016 Mirai DDoS attack.

Immuniweb’s Kolochenko notes: “Web applications and APIs should be regularly audited for business logic and architectural security flaws that may consume all CPU/RAM and greatly facilitate a DDoS attack.”

High-Profile DDoS Attacks

Other significant DDoS attacks have included:

  • The massive Mirai attack in 2016 that hit Dyn, Deutsche Telekom and cybersecurity blogger Brian Krebs (see: Mirai Botnet Code Gets Exploit Refresh).
  • The 2018 attack on GitGHub, the online code management service, which CloudFlare clocked as having incoming traffic at a rate of 1.3 TB per second delivering 126.9 million packets per second.
  • A 2.3 TB attack earlier this year mitigated by Amazon Web Services.

Executive Editors Jeremy Kirk and Mathew Schwartz contributed to this report.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.