Error 404: 15% spike in cyber-attacks on top NZ organisations

NCSC director Lisa Fong says attackers can target every device. (Image: supplied)

Wed, 17 Nov 2021

Cyber incidents against New Zealand's top organisations rose 15% to 404 in the year to June.

The latest report from the GCSB’s National Cyber Security Centre (NCSC) said only 27% of these incidents were criminal or financially motivated.

The NCSC works directly with government, financial institutions, and other “nationally significant organisations” to help them counteract the burgeoning cyber threats that can take down systems, compromise data, and disrupt public services.

State-sponsored actors are suspected to be behind 113 (28%) of the reported attacks, though the suspected countries are not named.

The use of ransomware to demand financial payment and the disruption of consumer internet services were common attack methods.

NCSC director Lisa Fong underlined the importance of supply-chain security and for organisations to take closer interest in the security of technology partners to ensure their own cyber safety.

“We're seeing actors targeting every device, every organisation who they think might be vulnerable, establishing a foothold, and then selectively picking their targets,” she told BusinessDesk.

She said about a quarter of attacks could not be linked to any specific party, and there was an increased persistence, sophistication, and impact in the recorded threats.

“The fact there is an increase in the criminally and financially motivated actors, using the sophisticated tools means there is more widespread damage.

“It's really important in a changing technology environment, where the threat actor is adapting rapidly that we do so as well.”

Top targets

Because of its narrow customer base, the NCSC’s 404 recorded incidents are not representative of the volume of all cyber-attacks in Aotearoa.

Though the NCSC estimates its actions saved the 200 organisations it works with about $119 million worth of harm, major incidents were recorded with Waikato DHB and the Reserve Bank of New Zealand.

Both incidents involved malware and the theft of personal customer data. In the case of Reserve Bank, a flaw in file sharing partner Accellion’s software was the way in for attackers.

“Our capability for detection and disruption is largely focused on three actors who work through malware,” Fong said

“When it's a DDoS attack, we aren't best placed to mitigate those attacks. But the suppliers and providers to the affected entity can provide that support.”

Distributed denial of service (DDoS) attacks target online services and overwhelm them with artificial requests, rendering the services unusable to customers.

The NZX was hit with service outages due to DDoS attacks last year, while disruption to major websites and services including Kiwibank, ANZ, and NZ Post was suspected to be because of similar methods, though this has not been confirmed by any of the affected parties.

Fong wouldn’t call out exactly what it is organisations are doing wrong. She instead highlighted the importance of governance, incident readiness and planning for attacks, supply-chain security, and investment.

“The steps that organisations need to take to protect themselves, regardless of attribution, these remain reasonably consistent over time.”

The NCSC will soon fully launch its Malware Free Networks initiative that will make its anti-attack insights available to more organisations through commercial partners.

This story has been updated to correct a factual error.

About the author

Henry Burrell

Tech Editor

[email protected]

Henry is a former editor of IDG UK titles Macworld and Tech Adviser. He has also written for numerous publications including PC World and The Spinoff. Henry has also worked in PR for telecoms. He joined the BusinessDesk team in 2020 and is based in the Auckland office. You can follow him on Twitter @hrburrell or connect with him on LinkedIn here.

Latest from Henry Burrell