NZ’s critical entities face cyber-attack surge

Cyber attack New Zealand

New Zealand’s National Cyber Security Centre (NCSC) has recorded a sharp uptick in cyber-attacks targeting critical services entities over the last year, with more than a quarter of attacks linked to state-sponsored actors.

The agency’s latest Cyber Threat Report 2020/21 recorded a total of 404 incidents with a “possible national impact” or affecting “nationally significant organisations”. This total represents a 15 per cent year-on-year jump on 2019/20 figures, with the agency identifying 352 cybersecurity incidents in that year.

Among these “nationally significant” organisations include critical government departments, key economic generators, niche exporters, research institutions and operators of critical national infrastructure.

As well as the number of breaches, the impact of cyber-attacks and the capability of threat actors to penetrate protective barriers also appears to be increasing.

“Malicious cyber actors remain determined and well-resourced, and our nation’s most significant organisations are not immune,” NCSC Director Lisa Fong said.

Strikingly, 33 per cent of malicious incidents fell into the ‘post-compromise’ category, meaning that a malicious cyber actor was able “to gain network access, succeeded in moving laterally through a network, or achieved an effect that denies, disrupts, degrades, or destroys the victim’s information or system accesses”.

This is a significant increase on last year’s figures, when just 15 per cent of incidents fell into this category. The NCSC reported that a large proportion of these incidents were the result of Denial-of-Service (DoS) or ransomware attacks.

Fong noted that malicious actors are turning increasingly to reconnaissance efforts before engaging in a full cyber-attack, making ready use of “automated scanning to identify cyber security vulnerabilities, with actors returning to select high-value targets to exploit”.

Of the 404 incidents recorded by the cyber agency, 28 per cent (accounting for 113 incidents) showed links to suspected state-sponsored cyber actors.

Noting their ability to successfully mask their attacks, the NCSC said: “Sophisticated, state-sponsored actors aim to hide their intrusions while extracting valuable data from both public and private sector organisations. Successful actors steal information to gain geostrategic and political advantage, and to maintain pace with developments in scientific and technological research.”

Compared to the 30 per cent recorded last year, this year’s state-sponsored attack figure does in fact represent a small drop, proportionally, of these attacks recorded.

However, the NCSC hastened to add, this is due to the significantly greater proportion of criminal incidents being recorded – with the number of suspected criminal or financially motivated cyber-attacks jumping from 14 per cent last year to 27 per cent this year. Last year, 105 state-sponsored attacks were recorded.

“This is a trend that has been reflected in public reporting of high-profile cases of disruptive ransomware and denial-of-service attacks affecting New Zealand private and public sector organisations,” Fong said.

The NCSC notes that the increase is largely attributed to the success of ransomware and extortion campaigns, and criminals’ increasing ability to hone in on vulnerable targets.

“This activity increasingly targets critical service providers and organisations with no tolerance for extended periods of disruption.”

The MO for criminal actors is “typically look to disrupt critical services and publish stolen material to the internet and to media outlets in an attempt to apply further pressure on a victim to expedite their extortion demands,” Fong said.

Around one in four incidents had “insufficient information to make any assessment” on the type of actor responsible.

The remaining cyber incidents recorded, around 19 per cent, were “proactively” blocked as a result of efforts from the NCSC.

“These incidents [collectively] reflect the difficulty of attributing activity to a particular actor, and the NCSC’s focus on engaging early. The NCSC often prevents compromises long before it is possible to assess anything about the actor responsible or their motivation.”

In the 2020/21 year, NCSC says its interventions or advice prevented an estimated $119 million worth of harm to nationally significant organisations by either preventing incidents, or providing assistance and advice that helped those significant organisations detect, respond, and recover from malicious cyber activity. Since June 2016, the NCSC said it has prevented an estimated total of $284 million in harm.

The year’s three most severe incidents recorded were rated category 2 or ‘C2’ – highly significant incidents (and one level below a national emergency).

This included the highly publicised Waikato District Health Board ransomware incident, which resulted in the details of 4,200 individuals being leaked onto the dark web, a DDoS campaign on the country’s stock exchange, and a data breach affecting the Reserve Bank of New Zealand.

The NCSC, part of the NZ Government’s Communications Security Bureau, is tasked with supporting NZ’s critical organisation in resisting cyber threats “that could have an impact on national security and wellbeing”.

The agency is currently trialling a Malware Free Networks (MFN) capability, giving partner organisations key intelligence to proactively detect and disrupt malware threats.

By July 2021, the NCSC reports that its MFN service had already disrupted more than 2,000 malicious indicators “before they had the chance to cause harm”.