Cyber incidents against New Zealand's top organisations rose 15% to 404 in the year to June.

The latest report from the GCSB’s National Cyber Security Centre (NCSC) said only 27% of these incidents were criminal or financially motivated.

The NCSC works directly with government, financial institutions, and other “nationally significant organisations” to help them counteract the burgeoning cyber threats that can take down systems, compromise data, and disrupt public services. 

State-sponsored actors are suspected to be behind 113 (28%) of the reported attacks, though the suspected countries are not named. 

The use of ransomware to demand financial payment and the disruption of consumer internet services were common attack methods. 

NCSC director Lisa Fong underlined the importance of supply-chain security and for organisations to take closer interest in the security of technology partners to ensure their own cyber safety. 

“We're seeing actors targeting every device, every organisation who they think might be vulnerable, establishing a foothold, and then selectively picking their targets,” she told BusinessDesk.

She said about a quarter of attacks could not be linked to any specific party, and there was an increased persistence, sophistication, and impact in the recorded threats.

“The fact there is an increase in the criminally and financially motivated actors, using the sophisticated tools means there is more widespread damage.

“It's really important in a changing technology environment, where the threat actor is adapting rapidly that we do so as well.”

Top targets

Because of its narrow customer base, the NCSC’s 404 recorded incidents are not representative of the volume of all cyber-attacks in Aotearoa.

Though the NCSC estimates its actions saved the 200 organisations it works with about $119 million worth of harm, major incidents were recorded with Waikato DHB and the Reserve Bank of New Zealand.

Both incidents involved malware and the theft of personal customer data. In the case of Reserve Bank, a flaw in file sharing partner Accellion’s software was the way in for attackers.

“Our capability for detection and disruption is largely focused on three actors who work through malware,” Fong said 

“When it's a DDoS attack, we aren't best placed to mitigate those attacks. But the suppliers and providers to the affected entity can provide that support.”

Distributed denial of service (DDoS) attacks target online services and overwhelm them with artificial requests, rendering the services unusable to customers. 

The NZX was hit with service outages due to DDoS attacks last year, while disruption to major websites and services including Kiwibank, ANZ, and NZ Post was suspected to be because of similar methods, though this has not been confirmed by any of the affected parties.  

Fong wouldn’t call out exactly what it is organisations are doing wrong. She instead highlighted the importance of governance, incident readiness and planning for attacks, supply-chain security, and investment.

“The steps that organisations need to take to protect themselves, regardless of attribution, these remain reasonably consistent over time.”

The NCSC will soon fully launch its Malware Free Networks initiative that will make its anti-attack insights available to more organisations through commercial partners. 

This story has been updated to correct a factual error.