NZX says trading continues despite site being down again

Chris Keall, NZ Herald,
Publish Date
Mon, 31 Aug 2020, 12:07PM
(Photo / File)
(Photo / File)

NZX says trading continues despite site being down again

Chris Keall, NZ Herald,
Publish Date
Mon, 31 Aug 2020, 12:07PM

NZX says trading continues on its X-Stream trading platform, despite its public-facing website website having problems for the fifth-trading day in a row. went offline around 10.20am, soon after the market opened, then was up-and-down over the next half hour.

During attacks last week, the exchange was forced to suspend trading, because it could not fulfil its continuous disclosure obligations with its website down.

But today it is trading under a new arrangement with the Financial Markets Authority that lets the NZX keep trading even if has been forced offline a fresh cyber attack. Information is being posted to an alternative source that the NZX refused to name, citing security reasons. It says people who are actively trading a stock will get market releases.

Earlier, the NZX confirmed it has drafted in Akamai Technologies, the multinational content delivery network giant, as first-reported by the Herald.

Akamai is not perfect. An angry Spark insider pointed the finger at the US company after the first-half Spark Sport streaming failure in the key All Blacks-South Africa group-stage clash during the Rugby World Cup.

But it does have huge capacity and sophisticated defences, which should help the NZX fend off any renewed DDoS (distributed denial of service) attacks.

And Finance Minister Grant Robertson confirmed late Friday that the Government had directed the GCSB to assist the exchange, too, potentially further beefing up its defences (although the spy agency's main cyber-defence system, Cortex, is aimed at stopping break-ins rather than a DDoS-style attack, where thousands of hijacked computers are used to overwhelm a website with connection requests, forcing it offline).

The NZX appears to now have six nameservers on Akamai's network. Previously, the servers that direct computers looking for sat on the same network on Spark, and there were only two of them.

Although it hasn't commented publically on the NZX attacks, Akamai has said that several attacks on financial institutions around Asia-Pacific are the work of a group posing as the Russian cyber-gang known by several names including Cozy Bear.

Crown cyber-security agency Cert NZ put out a warning about Cozy Bear targeting NZ financial institutions with DDoS attacks in November last year.

What exactly was attacked

The stock exchange operator has also filled in more details about its four days of outages last week.

Communications manager David Glendining told the Herald it was important to note that the NZX's core trading and clearance systems (the X-Stream platform, licenced from Nasdaq) were not hit by the DDoS attack.

Rather, the attack overwhelmed its public-facing website and Market Announcement Platform (MAP), meaning investors could not see company announcements in real-time, in keeping with the exchanges regulatory requirement for continuous disclosure to all market participants at the same time.

Peterson said this morning that the exchange has now worked out an arrangement with the Financial Markets Authority for contingency arrangments that will allow investors to continue to access market announcements, even if the website goes down again.

The contingency arrangements - that is, where investors will go for information if the website is offline - were not immediately detailed.

"NZX has been advised by independent cyber specialists that the attacks last week are among the largest, most well-resourced and sophisticated they have ever seen in New Zealand," Peterson said - echoing the verdict of AUT computer science professor Dave Parry in comments to the Herald on Friday.

He also noted that the GCSB's National Cyber Security Centre unit has compiled and sent an Advice Notice to New Zealand companies.

NZX has also forwarded this advice to its listed issuers

Who is behind the attacks?

Some experts, including NortonLifeLock's Mark Gorrie, have speculated that the attacks on the NZX could be a profit-driven extortion attempt, with the hackers demanding a ransom to cease (the NZX has refused comment on that point).

Others have seen a possible state actor involved following the broad-ranging cyber-attacks on Australia.

One ex-Spark manager even floated the theory that the attacks on the NZX - which coincided with Brenton Tarrant's sentencing - were revenge against Spark and other ISPs blocking controversial sites 4Chan and 8Chan in the wake of the Christchurch mosque shootings.

And AUT's Parry says it could just be an amateur hacker proving their chops, although he also conceded the repeated nature of the attacks pointed to a possible extortion attempt. Parry saw the NZX in a four-day "arms race" with its attacker - an area where Akamai's big guns should help.

Whatever the attacker's motivation, they did not cause NZ financial harm last week.

Despite a highly disrupted few days of trading, the local NZX 50 rallied 2.2 per cent for the week and also surpassed its pre-Covid closing high from February, Harbour Asset Management's Shane Solly notes.

What is a DDoS attack?

Security company NortonLifeLocks says criminals prepare for a DDoS attack by taking over thousands of computers. These are often referred to as "zombie computers". They form what is known as a "botnet" or network of bots. These are used to flood targeted websites, servers and networks with more data than they can accommodate.

A volume-based or "volumetric" DDoS attack, which was apparently the variant that hit the NZX, sees massive amounts of traffic sent to overwhelm a network's bandwidth, NortonLifeLock says.

The company says a DDoS attack has to be repelled at the internet service provider level (often this involves temporarily blocking traffic from certain IP addresses).

But it is also a good idea to keep your security software up to date so your PC does not unwittingly become part of a botnet attack.

The NZX did not immediately respond to questions about whether it had received any extortion demand, whether its communications setup involved multiple providers for redundancy, and what steps were being taken to avoid another attack.