NZX and MetService may be feeling some measure of embarrassment after their websites were knocked offline by distributed denial-of-service attacks over the past couple of weeks.
But if some experts are right, it is the attackers themselves who may look like the real amateurs when they walk away out-of-pocket, and with several spy agencies on their backs.
Distributed denial-of-service (DDoS) attacks involve cyber-criminals overloading and crashing an organisation’s online services by bombarding their internet-facing systems with vast amounts of spurious traffic.
The NZX’s attackers – assuming it is one group – have targeted an eclectic mix of Kiwi organisations.
* ‘You don’t want to be like them, do you?’ The ominous message that precedes a DDoS attack
* GCSB examining extortion email sent to NZX ahead of DDoS attack
* Victim-blaming plays into DDOS attackers’ hands
Westpac revealed it fought off a DDoS attack in mid-August.
Spokeswoman Max Bania said “a small number of customers” might have experienced intermittent issues logging-in for a short period but that was resolved quickly.
TSB experienced disruption to its banking services on Tuesday, though it has not said whether it was the target of a DDoS attack.
Media companies Stuff and RNZ confirmed they had experienced attacks which they had successfully defended.
Bizarrely, the Mt Ruapehu skifield also appears to have been targeted, with its car park booking system “deliberately crashed by an external cyberattack” on Wednesday morning.
But it was NZX that bore the brunt.
The attack on its infrastructure is understood to have peaked at more than 1 terabit per second of spurious data.
It may not have been far shy of the largest-ever reported DDoS attack globally, a 2.3Tbps assault on a customer of cloud-computing giant Amazon Web Services in February.
Sean Duca, Sydney-based regional chief security officer of United States cyber security firm Palo Alto Networks, said it was more common for attacks to peak at about a fifth of a terabit, or 200 gigabits per second.
DDoS attacks have been used in the past as a form of civil disobedience.
In 2012, activists associated with hacking group Anonymous vented their outrage at Kim Dotcom’s arrest in New Zealand by temporarily blocked access to the websites of the US’ FBI, Justice Department and recording label Universal Music Group.
Anonymous also disrupted the New Zealand Parliament website for two days in 2011 to protest against a copyright law change.
They can also have political goals.
The entire country of Estonia was largely knocked offline in 2007 during a period of high tensions with neighbouring Russia.
But the latest DDoS attacks on New Zealand appear to be financially-motivated based on emails and ransom demands sent to at least some victims, including the NZX.
The attacks may be part of a global campaign that New Zealand cyber-security agency Cert NZ first warned about in November last year that threatened financial services businesses around the world.
According to internet infrastructure giant Akamai, the group that prompted that warning has also attacked payment services PayPal and WorldPay and an Indian bank.
It reported the criminals were demanding ransoms in bitcoin of tens or hundreds of thousands of dollars to forestall or call off their attacks.
Duca said businesses brought to their knees by the much more serious scourge of ransomware hacks could be inclined to pay ransoms to unlock their data and prevent it being auctioned on the internet, even though paying such ransoms was “unethical”.
He had also heard “third hand” of organisations in Australia paying blackmail demands to save themselves from a denial-of-service attack, but not of any in New Zealand doing so.
Bruce Armstrong, director of Wellington cyber security company Darkscope, believed there was little chance of any New Zealand organisations paying off the current DDoS attackers.
“I suspect anyone who is presented with a ransom note in New Zealand is likely to seek help rather than pay it,” he said.
“Look at our corruption rates.
“I think it is an ingrained thing in New Zealand; ‘Why should you collect just because you can ransom me? I’d rather fight you even if it costs me more’,” Armstrong said.
GCSB Minister Andrew Little has cautioned that it is “never ethical” to pay a cyber ransom and has opened the door just a little to considering a legal ban on such payments.
He forecasts the attacks will simply “fizzle out” as the attackers’ victims get better at blocking the spurious traffic being thrown at them and shore up their systems.
Armstrong agrees, assuming no-one lets the side down by paying a ransom.
“It may fizzle out if the attackers are unsuccessful getting any ransoms and I don’t think to date they have been successful.
“There are easier places to go,” he said.
No-one knows how long that message may take to get through to the attackers.
But in the meantime they will be chewing through small amounts of cash, as well as hopefully banging their head against a brick wall.
Usually, DDoS attackers will hire a network of hacked computers or “botnets” through the dark web to launch their attacks, paying by the hour or day for a certain amount of bandwidth.
An attack peaking at 1Tbps would be likely to require at least tens of thousands of hijacked devices.
Duca said about 190,000 hacked IPTV cameras (cameras that are connected to the internet), were harnessed by criminals and used to conduct another terabit-scale DDoS attack in 2016 that took down large parts of the internet on the US east coast.
Jonathan Sharrock, chief executive of New Zealand-based online security testing firm Cyber Citadel, believed botnets capable of delivering a typical DDoS attack could be rented for about US$60 (NZ$89) a day.
That would put the total cost of the bigger, sustained DDoS attacks New Zealand has experienced over the past few weeks at perhaps in the thousands of dollars.
Aside from shouldering that loss, the attackers now have the GCSB and its “Five Eyes” partner agencies on their case.
Little said last week that the only clue they had to the identity of the attackers was the email demands they sent to victims.
A security expert said it might be possible to prove who was behind the attack by examining the devices that were part of the botnet, finding out who controlled them, and then working back to who hired them.
DDoS attacks reportedly more than halved after the FBI acted in 2018 to shut down 15 of the most active websites that sold control over botnets – the latest in a series of sporadic actions to take the fight back to attackers.
Where any trail might lead this time, no-one knows.
Duca said a peak of more than 1Tbps suggested the NZX attack was more than just the work of one person.
”It would be more akin to a group than an individual.
“When you start to look at the larger campaigns, it needs to be planned and methodical. It is not someone ‘shooting from the hip’, so to speak.”