Below is a press release by Cyber Citadel on the NZX DDoS attack published by Scoop ( Cyber Citadel

The latest round of on-line internet attacks on New Zealand companies are simply cyber criminals welcoming New Zealand to the ‘big stage’ – and a poignant and high-profile demonstration of the world’s latest cyber-crime activity as a forewarning of what is to come, according to a senior cyber security expert.

Attacks on the New Zealand Stock Exchange with a distributed denial of service (DDOS) programme have seen the company’s website crash repeatedly after being swamped by overwhelming volumes of on-line traffic.

The Government Communications Security Bureau (GCSB) has also confirmed that weather forecasting site MetService, banking giant Westpac, and media organisations and Radio New Zealand have also been subjected to DDOS attacks over the same period.

NZX website unavailable

New Zealand-based on-line security testing firm Cyber Citadel chief executive officer Jonathan Sharrock says the relatively new phenomenon for New Zealand has been happening for quite some time overseas – with DDOS attack services able to be purchased openly on the internet from as cheaply as US$15.

He said the attack which disabled the NZX could be openly bought on-line for US$60 a day.

“It’s just that now New Zealand has cropped up on the world’s cyber-criminal radar. Whether that is because of our Covid-19 management situation which sees NZ INC now referred to around the globe, or whether the rest of the Western world has been saturated with DDOS attacks is the unknown,” said Sharrock.

“What the DDOS attack on the NZX has exposed is whether New Zealand companies have the appropriate DDOS mitigation clauses in their Service Level Agreements with telco’ providers – with the majority of those likely to be run through Spark, Vodafone, 2degrees and the little known Vocus.”

The NZX operates its internet services through Spark.

“New Zealand companies have certainly become increasingly diligent over the potential for invasive cyber-attacks – more commonly known as a hack – directly into their websites or internal computer systems. However, a DDOS cyber-attack is totally different phenomenon, and many IT system managers in New Zealand would have had limited risk appetite for facing up to the potential effects a DDOS attack would have on their business,” said Sharrock.

“With a DDOS attack, there’s not a lot the target entity or victim – in the current case, the NZX – can do themselves to repel the offensive volume-based battering it takes. They need to be protected by their telecommunications provider – in this case Spark – as far upstream up the connectivity network as possible.

“Think of the telco’s as the first line of defence when a DDOS attack is launched. Before the sheer volume of on-line traffic lands at its destination target in a carefully planned manoeuvre to disable it, the ‘tsunami’ of malicious traffic should be stopped at the border by the telco’ provider. The telco’s systems then ‘scrub’ out the vast volume traffic flow, sorting out the offending DDOS traffic from legitimate data, and allowing for a ‘business as normal’ level of operations.

“However, if the degree of bandwidth protection specified in the Service Level Agreement is not adequate enough for the telco’ to mitigate a DDOS attack, then it’s open season for a volume-based attack – either preceded or followed by a ransom demand of some sort, usually payable in untraceable crypto currency.

“However, as we’ve seen with the NZX DDOS scenario, along with the banks, some service agreements simply don’t appear to be adequate, or the telco’s security simply aren’t up to the task.

“If that is the case, New Zealand’s telco’s will quickly have to bulk up their band-width capability on behalf of their customers to sustain what are now the biggest volumetric online attacks we have ever tracked.”

“There may also be a degree of poorly designed IT networks, which, unprepared for a DDOS attack, have in fact inadvertently leaked information to the attacker about the system’s security. Carefully designed systems should not reveal that information.”

As published in Scoop ( – 2 September 2020