New Zealand spy agency investigating 'severe' cyberattack on stock exchange

Finance minister Grant Robertson said the Government Communications Security Bureau (GCSB) has been instructed to help New Zealand's Exchange (NZX), which has suffered periodic outages since Tuesday. The National Security System has also been activated, requiring government agencies to work together, he told reporters at a press conference.

"There are limits to what I can say today about the action the government is taking behind the scenes due to significant security considerations," Robertson said. "We as a government are treating this very seriously."

The GCSB collects and analyzes intelligence, while providing cybersecurity for the country's critical infrastructure. New Zealand is a member of the Five Eyes intelligence alliance, which also includes the United States, Britain, Australia and Canada. The countries share a broad range of intelligence with one another and last year signed a cybersecurity pledge, along with 22 other nations, which provides for coordinated responses to cyberattacks.

NZX opened at 1 p.m. local time on Friday, three hours later than normal because of what the exchange has described as a "sophisticated and severe" distributed denial of service (DDoS) attack.

Trading was first halted at about 4 p.m. local time on Tuesday, with disruptions to debt, equities and derivatives markets continuing on Wednesday and Thursday. The exchange's website was not accessible after the close of trading on Friday.

"Given that this is an ongoing response, NZX will not be providing detail on the nature of the attacks or counter-measures," NZX CEO Mark Peterson said in a statement. "This is a systems connectivity issue not a data or communication integrity issue."

NZX hosts many of New Zealand's largest companies, including Fonterra Co-operative Group, which produces over 2 billion liters of milk every year and is the world's largest dairy exporter. Overseas investors owned roughly 40% of the equities market as of December 2018.

DDoS attacks aim to disrupt service by flooding a network with large volumes of internet traffic. The Hong Kong Stock Exchange suffered a DDoS attack in September last year, which forced it to suspend trading, while Nasdaq, CBOE and BATS were hit by DDoS attacks for several days in 2012 resulting in patchy access to their websites but no disruptions to trading.

The motive for the attack on New Zealand's stock market remains unclear and the exchange has not provided further details.

This type of attack is becoming much more common, as cybercriminals capitalize on the growth in public clouds and sell their services cheaply on the dark web. DDoS attacks surged 542% in the first quarter of this year, compared to the final three months of 2019, according to cyber security company Nexusguard.

''One reason why DDoS attacks are so inexpensive is that more and more people that offer DDoS-for-hire services are leveraging the scale and bandwidth of public clouds," said Juta Gurinaviciute, chief technology officer at NordVPN Teams, the cloud-based network provider.

The attacks have also become more sophisticated, according to Satnam Narang, a research engineer at cyber security company Tenable. As financial organizations rely more on connected devices -— the so-called Internet of Things — cybercriminals can target vulnerable devices to launch stronger DDoS attacks, he said.

— Laura He and Isaac Yee contributed reporting from Hong Kong.