The cyber-attack that appears to be behind the continued service disruption of Kiwibank’s online banking services is boosting the reputation of the attackers, even if they are demanding a ransom that hasn’t been paid.

On Wednesday Sep 8, government cybersecurity agency Cert NZ confirmed a distributed denial of service (DDoS) attack was targeting banks and popular websites. 

ANZ, NZ Post, NZ Police, and the MetService have also had ongoing service and website issues for the past week, but Kiwibank’s online banking service is among the worst affected, with many customers unable to access online banking to transfer funds.

Eftpos, ATM withdrawals, scheduled payments and other services remain functioning, and because of the nature of DDoS attacks, customer funds and data are not at risk of theft.

Kiwibank customers have posted on the bank’s Facebook page this morning that they cannot login to online banking.

“They're criminals, and these guys are doing this in order to get a reputation,” Dave Parry, professor of computer science at AUT said.

It is not confirmed who is behind these ongoing DDoS attacks or whether any of the affected organisations have been issued ransom demands, but Parry agrees with earlier expert comment that random demands are likely. 

“Financial institutions virtually never pay these sorts of ransoms, they're very aware that these things can escalate very quickly.

“Given that Kiwibank’s not going to be paying a ransom, the attackers are using this as an advert to demonstrate to other potential users of the services or software, or other potential victims … we can hit this for a long time. And hence, pay up.”

Payment of ransoms is not illegal in New Zealand, but government and regulatory advice is not to pay, partly because it doesn't guarantee an end to the attack. 

“Officials are currently undertaking policy work to explore options to improve New Zealand’s resilience to ransomware,” minister for digital economy and communications David Clark said. 

“This is not an issue unique to New Zealand. Globally, countries and organisations are considering how to more effectively address the threat of ransomware.”

So far, only CertNZ has said a cyber-attack is the cause of the disruption. An agency spokesperson told BusinessDesk on Sep 10 that no other businesses had reported attacks that day.

“Cert NZ remains in close communication with our sector partners to share intelligence and support recovery efforts.”

Today another Cert NZ spokesperson said there was no update beyond its earlier statements.

A spokesperson for Heartland Bank said on Tuesday a payment issue that affected customers on Sep 13 had been resolved, but said the bank could not comment on whether it was related to a cyber-attack.

Under wraps

The lack of public explanation from organisations including the government communications security bureau (GCSB) and the affected organisations themselves is by design.

Last week, a spokesperson from the government’s National Cyber Security Centre (NCSC) said the agency was limited in the public comment it could make as any information may change the behaviour of the attackers.

Repeated requests for comment from BusinessDesk to RedShield, one of NZ's leading cyber-security firms that is understood to provide services to Kiwibank and other affected organisations, have elicited no response in the last week.

“I know the organisations affected are working very hard behind the scenes to remedy the situation, working with their IT and security suppliers,” Clark said.

“The GCSB and Cert are tending towards, in these sorts of attacks, less publicity and perhaps just reporting after the thing has been resolved,” Parry said. 

“Banks in general, their whole model is based on that they are a secure and safe people to deal with, and so every time they mentioned that attack, every time they mention something like that, they feel that that damages their brand.

“There's a constant balance between the attackers and the defenders, and at the moment, the attackers have got an advantage in some areas.”

It has meant Kiwibank’s social media teams are bearing the brunt of customer frustration following service outages that began nearly a week ago.

“Unsatisfactory communication this past week from Kiwibank,” one person tweeted at the bank on Tuesday. 

“Any idea if this'll be sorted today?? Been waiting around for hours waiting to check my account to see if my work pay has come in so we can go grocery shopping,” said another. 

Others were more sympathetic.

“Someone needs to buy your IT staff a drink! Thank you for the updates. Frustrated but this is obviously a challenging issue.”

Parry said it was likely attackers have targeted banks because NZ is in a state of national lockdown.

“The other thing with banks is that because people do use them 24-hours a day, especially with lockdown, you notice the disruption more.”

He said this round of attacks on NZ organisations is likely targeting the businesses themselves rather than a common service provider.

“There's not likely to be a magic bullet to solve this at any one time,” he said. 

“There's a constant battle balance between the attackers and the defenders, and at the moment, the attackers have got an advantage in some areas.”