Repeated DDoS Attacks on New Zealand Stock Exchange


The privately-owned New Zealand Stock Exchange (NZX) recently had a very bad week indeed; it experienced four consecutive days of disrupted trading (Tuesday-Friday), for several hours at a time, due to a series of Distributed Denial of Service (DDoS) attacks on their site. One of which was due to a volumetric attack which peaked at over 1 terabit per second (Tbps), making it one of the largest attacks on record, globally. The attacks resulted in severe disruptions to debt, equities and derivatives markets, and the exchange was initially forced to suspend trading completely, because it could not fulfill its continuous disclosure obligations as its website was down.

Content delivery network has not stopped the attacks

The following week also started off badly for NZX, with disruptions on the Monday and Tuesday. They reportedly sought the assistance of a leading content delivery network and DDoS mitigation service provider. Apparently, that provider also struggled to successfully defend the NZX public website; over a week later, the public facing website,, was still down. Market trading was only able to resume at all, within the first week of the attacks, after NZX put in place alternative public disclosure methods for investors to get their information, with the agreement of the Financial Markets Authority.

The attacks have been sophisticated; according to ZDNet, “in the case of NZX, the group has repeatedly targeted Spark, the stock exchange’s hosting provider, which has also resulted in downtime for the provider’s other customers… Furthermore, the group also showed its sophistication by often changing the protocols that were abused for the DDoS attacks, keeping defenders on their toes as to how the next attack would take place, and the protections they needed to roll out.” This is a prime example of why organizations need the latest generation of automated, real-time DDoS mitigation, to successfully defend against such multi-vector DDoS attacks. Unfortunately, it is increasingly easy, and inexpensive, for threat actors to carry out attacks, thanks to DDoS-for-hire services that are now widely available, and the ever-growing network of IoT devices that can be harnessed into botnets to power them.

Critical infrastructure must be protected

Any organization with a public-facing website should be concerned about the threat of DDoS attacks, but especially those considered to be part of a nation’s critical infrastructure. A large, privately-owned financial organisation like NZX can be considered critical infrastructure because of the potential impact; even a short outage can create chaos and economic fallout, not only for the organization that operates the service, but for the many businesses and individuals that rely on it. In the domain of stock trading, milliseconds of downtime can make a huge difference in the ability to conduct business. Hours of downtime are understandably intolerable.

Attacks targeting the financial sector

Additional organizations suffered DDoS attacks as well, ranging from other banks, to news outlets, a university, and a weather service. According to the New Zealand Herald, “the GCSB has issued a “be prepared” advisory for all Kiwi businesses on the heels of the stock exchange suffering a fifth day of outages linked to cyber-attacks, unsuccessful attacks on Stuff and RNZ’s websites over the weekend, and ransomware incidents that have hit, F&P Appliances, Lion, Toll Group and the University of Auckland (where a ransom was paid by the US firm hosting its data), among others.”

Financial motive is suspected

The New Zealand Government Communications Security Bureau (GCSB) is investigating the source of the attacks on the stock exchange, and the country’s National Security System has also been activated, requiring government agencies to work together. Stock market operator NZX blamed the attacks on cybercriminals from overseas, but the NZ government is not sure whether the attack is the work of one bad actor or a nation-state. Thus far, no motive for the NZX attack has been established, but government officials suspect it is a case of DDoS for ransom, because there were emails sent to some victims ahead of the assault that demanded a large ransom payment in the form of Bitcoin, which NZX did not pay.

There is some speculation, according to ZDNet, that the extortionists are cybercrime groups who are mimicking the Russian “Cozy Bear” cybercriminal group; they call themselves “Fancy Bear” and the “Armada Collective.” Coincidentally, these groups were also named in an Akamai report on August 17.

Detection and mitigation are key to avoiding ransom attacks

Government officials and law enforcement agencies in the US, as well as New Zealand, generally agree that it is best to never pay a ransom to prevent or stop a DDoS attack, because it only rewards the perpetrators and encourages more cybercrime. New Zealand is a member of the Five Eyes intelligence alliance, which also includes the U.S., U.K., Australia and Canada. The countries share cyber intelligence and have pledged, along with 22 other nations, to coordinate any response to cyber-attacks.

For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s diverse deployment models, click here.  If you’d like to learn more, please contact us.

Sean Newman is VP Product Management, responsible for Corero’s product strategy. Sean brings over 25 years of experience in the security and networking industry, to guide Corero’s growing leadership in the real-time DDoS protection market. Prior to joining Corero, Sean’s previous roles include network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.