The latest round of on-line internet attacks on New Zealand companies are simply cyber criminals welcoming New Zealand to the "big stage", according to a senior cyber security expert.
The Government Communications Security Bureau (GCSB) confirmed that MetService, Westpac, stuff.co.nz, and Radio NZ were among the organisations targeted in a wave of DDoS attacks that followed the high-profile assault on the New Zealand Exchange (NZX). The attacks demonstrated that New Zealand's critical infrastructure and media organisations were squarely in the sights of international cybercriminal groups.
Jonathan Sharrock, a senior cyber security expert at Cyber Citadel, noted that DDoS-for-hire services are readily purchasable on the dark web for as little as US$15. He estimated that the sustained attack on the NZX could have been mounted for approximately US$60 per day — a trivial cost for an operation that caused days of disruption to a national stock exchange. The low cost and easy accessibility of DDoS tools means that virtually any organisation with an internet-facing presence is a potential target.
Sharrock observed that New Zealand's successful management of the Covid-19 pandemic had raised the country's international profile significantly, inadvertently placing it on the radar of cybercriminal groups who may not have previously considered it a worthwhile target. "New Zealand is now on the criminal radar," he said. "The country's global visibility has increased, and with that comes increased attention from threat actors looking for high-profile targets."
A key issue highlighted by the attacks was the adequacy of Service Level Agreements (SLAs) between New Zealand organisations and their telecommunications providers. Sharrock pointed out that the bandwidth commitments from telco providers such as Spark, Vodafone, 2degrees, and Vocus may not be sufficient to absorb the volume of traffic generated by a sustained DDoS campaign. When a DDoS attack floods an organisation's internet connection, the telco provider is the first line of defence — and if the provider's infrastructure cannot handle the load, the organisation is left exposed.
"The telco is your first line of defence," Sharrock explained. "If a DDoS attack overwhelms your internet connection, it doesn't matter how good your internal security is — you're offline. Organisations need to have frank conversations with their telco providers about what happens when an attack exceeds the bandwidth committed under their SLA."
Sharrock described the process of "scrubbing" traffic — in which a DDoS mitigation provider or telco filters out malicious traffic before it reaches the target's network — as essential for any organisation that relies on internet connectivity for its core operations. However, he noted that many New Zealand organisations' SLAs with their telco providers do not include adequate provisions for traffic scrubbing or DDoS absorption. This is a gap that needs to be closed urgently.
"Telcos need to bulk up their bandwidth and their DDoS mitigation capabilities," Sharrock said. "As these attacks become more frequent and more powerful, the current level of protection offered under standard SLAs is simply not going to be enough. New Zealand needs to invest in its telecommunications infrastructure to match the level of threat that the country now faces."
DDoS-for-hire services are readily purchasable on the dark web for as little as US$15. The sustained attack on the NZX could have been mounted for approximately US$60 per day.
Published in Scoop — 2 September 2020.