A Mugging-Style Cyber Attack That Hit A Stock Exchange, Yes Bank, Others

[NiveRoshni]

A Mugging-Style Cyber Attack That Hit A Stock Exchange, Yes Bank, Others



The New Zealand Stock Exchange website had been overwhelmed by a tsunami of offshore digital traffic. An email from the perpetrators made clear that it was a malicious attack.

The website of the New Zealand Stock Exchange slowed to a crawl on a Tuesday afternoon in August. It was so badly throttled that the exchange couldn't post market announcements, as required by financial regulators. So with an hour left for trading, management shut the entire operation down.
It didn't take long to figure out what happened. The website had been overwhelmed by a tsunami of offshore digital traffic. An email from the perpetrators made clear that it was a malicious attack.

NZX Ltd, which operates the exchange, restored connectivity ahead of the next trading day. But the attacks resumed once the market opened, forcing more trading suspensions over the next few days.

When the exchange finally moved its servers out of the reach of the digital bombardment - to cloud-based servers - the attackers began targeting the exchange's individually-listed companies. In the end, trading at NZX was stopped for four days, with "only intermittent periods of availability," according to a government review.

"You wouldn't wish this on your worst enemy," NZX Chief Executive Officer Mark Peterson told a local newspaper.

NZX was hit with the cyber equivalent of a mugging, a crude and dated style of hack that John Graham-Cumming, the chief technology officer at the cybersecurity firm Cloudflare, described as "the simplest, dumbest attack you can do." Known as a distributed denial of service, or DDoS for short, such attacks inundate a computer network or server with so much traffic that it can become overwhelmed and stop functioning.

DDoS attacks have been around for decades even though the cybersecurity industry has largely figured out how to withstand them. Nevertheless, they have endured and grown because they are relatively easy to pull off compared to actual hacks of computer networks and the explosive growth of internet-connected devices has given hackers an edge in launching attacks.

Also, many companies and organizations, such as NZX, don't bother taking the necessary precautions.

"The reason they persist is people think they will never be a victim," Graham-Cumming said.

This account is based on interviews with more than a dozen cybersecurity experts in New Zealand and elsewhere and provides new details about an attack, including boastful notes from the attackers and glaring cybersecurity deficiencies at NZX. A report released on Jan. 28 by New Zealand's financial markets regulator reinforced those findings, blasting NZX's failure to prevent the DDoS incident and accusing officials of a "lack of willingness to accept fault.''

NZX was targeted as part of a DDoS campaign that began last year and was striking in its global ambition. More than 100 companies and organizations around the world have so far felt its force, including Travelex in the UK, YesBank in India and New Zealand's meteorological service, according to cybersecurity researchers and the companies themselves. None suffered the impact of NZX.

Travelex didn't respond to messages seeking comment, nor did the meteorological service. YesBank said the attack "wasn't material" but provided no further details.

The attacks have followed a familiar pattern, according to cybersecurity experts. Potential victims receive an email often personally addressed to the chief IT officer. It lists a Bitcoin address and a demand for what has typically been about $200,000. The attackers promise discretion for those who pay to "respect your privacy and reputation, so no one will find out that you have complied," according to copies of the emails reviewed by Bloomberg. Cybersecurity firms report that companies targeted months ago are being sent new extortion emails, reminding them to pay the ransom or risk an attack.

The attackers, believed to be based in eastern Europe, have variously identified themselves in the emails as Lazarus, FancyBear and the Armada Collective - all names of infamous hacking groups, according to the emails and cybersecurity experts.

"We absolutely assume it is one entity. Every aspect of the campaign is absolutely similar," Hardik Modi, the Washington-based senior director of threat intelligence at cybersecurity firm NetScout Systems Inc., which is based in Massachusetts. "I run a research team and I feel like we're up against a research team where the level of devotion is uncommon. That's why it's caught our attention."

Since NZX was temporarily shut down, the attackers have used it to establish credibility with new targets. Emails delivered in the weeks and months afterward contained some variation of this warning: "Perform a search for NZX or New Zealand Stock Exchange in the news, you don't want to be like them, do you?"

Financial exchanges have halted trading for a variety of reasons over the years, from squirrels chewing through power lines to wars. In October, for instance, exchanges on three continents cited technical issues for shut downs, with the all-day halt at the Tokyo Stock Exchange being the worst in its history. Similarly, the 10-hour outage at the Bolsa Mexicana de Valores was the longest blackout in its recent history; Euronext NV shuttered trading for three hours.

Officials at NZX declined to comment for this story but have told financial regulators that the magnitude of the attack was unprecedented and couldn't have been foreseen. The Financial Markets Authority, in its report, wasn't buying it: "Many other exchanges worldwide have experienced significant volume increases and DDoS attacks but we have not seen any that were disrupted as often or for such a long period."

NZX, and much of New Zealand suffers from a general lack of awareness about cyber risks and doesn't spend enough on security, said Jeremy Jones, head of cybersecurity at IT consultancy Theta in Auckland.

"There's a reason why New Zealand is a very juicy target for this," he said. "The country is highly digitized and so dependent on the internet and cloud services. But historically, we're at least 10 years behind the U.K. and Europe on general cybersecurity measures in the commercial space."

Unlike a traditional hack, in which an attacker finds a way into a computer network to steal information or lock up files and demand payment, a DDoS attack is simply a blunt-force assault - directing more useless data at a company or organization than it can handle.

Source : https://www.ndtv.com/world-news/a-mugging-style-cyber-attack-that-hit-a-stock-exchange-yes-bank-others-2363674?amp=1&akamai-rum=off