Incident: Cyber Attacks Disrupt New Zealand Stock Exchange Operations for Days

Published Date: 2020-08-26

Postmortem Analysis
Timeline 1. The software failure incident happened on August 26, 2020 [Article 103586]. 2. The software failure incident happened on August 28, 2020 [Article 103567].
System 1. Network connectivity system of the NZX exchange [103586, 103567] 2. NZX main board, NZX debt market, and Fonterra shareholders market systems [103586, 103567]
Responsible Organization 1. Overseas hackers were responsible for causing the software failure incident at the New Zealand stock exchange, as indicated by the distributed denial of service (DDoS) attacks [103586, 103567].
Impacted Organization 1. NZX exchange 2. NZX main board 3. NZX debt market 4. Fonterra shareholders market 5. New Zealand's critical infrastructure 6. New Zealand government 7. Banking and insurance industries [Cited Articles: 103586, 103567]
Software Causes 1. The failure incident was caused by a distributed denial of service (DDoS) attack originating from offshore, impacting the network connectivity of the NZX exchange [103586, 103567]. 2. The attack overloaded traffic to NZX websites and the markets announcement platform, leading to a trading halt and disruption of normal market operations [103586]. 3. The attack was sophisticated and targeted New Zealand's critical infrastructure, indicating a high level of determination and skill by the attackers [103586]. 4. The failure incident raised questions about security measures, especially in the context of many people working from home with potentially lower security on their computers [103586]. 5. The failure incident persisted for multiple days, indicating a prolonged and repeated vulnerability to cyber attacks [103567].
Non-software Causes 1. The failure incident was caused by an overseas-based distributed denial of service (DDoS) attack targeting the New Zealand stock exchange, leading to network connectivity issues and trading halts [103586, 103567]. 2. The attack was described as a volumetric DDoS attack from offshore via the network service provider, impacting the NZX network connectivity [103586]. 3. The attack aimed to overload traffic to internet sites by infecting large numbers of computers with malware that bombarded the targeted site with requests for access [103586]. 4. The attack on the stock exchange was part of a series of cyber attacks over multiple days, indicating a sustained and deliberate effort to disrupt operations [103567]. 5. The New Zealand government activated national security systems in response to the cyber attacks, involving agencies like the Government Communications Security Bureau and the national agency fighting cyber crime [103567].
Impacts 1. Trading halts and disruptions in the NZX main board, debt market, and Fonterra shareholders market [103586, 103567]. 2. Loss of connectivity and access to NZX websites and markets announcement platform [103586]. 3. Activation of national security systems by the New Zealand government [103567]. 4. Involvement of the Government Communications Security Bureau and the national agency fighting cybercrime [103567]. 5. Frustration and disruption for traders and investors due to four consecutive days of cyber attacks [103567]. 6. Impact on the banking and insurance industries with potential profit losses [103567].
Preventions 1. Implementing robust cybersecurity measures such as intrusion detection systems, firewalls, and regular security audits to detect and prevent cyber attacks like DDoS attacks [103586, 103567]. 2. Enhancing network security protocols to mitigate the risk of network connectivity issues and disruptions caused by cyber attacks [103586, 103567]. 3. Increasing awareness and training for employees and users on cybersecurity best practices to prevent malware infections that can be used in DDoS attacks [103586]. 4. Collaborating with national security agencies and cybercrime units to strengthen the overall cybersecurity posture and response capabilities [103567].
Fixes 1. Enhancing cybersecurity measures to prevent and mitigate distributed denial of service (DDoS) attacks, such as implementing robust network security protocols and monitoring systems [103586, 103567]. 2. Conducting thorough investigations to identify the source and nature of the attacks, enabling better preparedness for future incidents [103567]. 3. Collaborating with national security agencies and cybercrime units to strengthen defense mechanisms against cyber threats [103567]. 4. Increasing awareness and training on cybersecurity best practices for employees and individuals working from home to prevent vulnerabilities in the network [103586]. 5. Allocating sufficient resources and setting clear thresholds for cybersecurity protection to safeguard critical infrastructure and financial markets from potential attacks [103567].
References 1. NZX exchange 2. Prof Dave Parry, Auckland University of Technology 3. Finance minister Grant Robertson 4. Government Communications Security Bureau 5. National agency fighting cyber crime 6. Jeremy Sullivan, investment adviser at brokerage Hamilton Hindin Greene 7. New Zealand's central bank 8. Rizwan Asghar, senior lecturer at the school of computer science, University of Auckland 9. Network service provider Spark

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident having happened again at one_organization: - The New Zealand stock exchange, NZX, experienced a cyber attack for the second day in a row, with trading being halted due to network connectivity issues [103586]. - NZX faced disruptions for four consecutive days due to cyber attacks, leading to trading halts and network connectivity issues [103567]. (b) The software failure incident having happened again at multiple_organization: - The incident in New Zealand follows a number of alleged cyber attacks by foreign actors targeting government and private-sector organizations in Australia [103586]. - Australia had also experienced a rise in similar cyber incidents, prompting the government to strengthen cyber defenses with increased spending [103567].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be seen in the articles through the cyber attacks on the New Zealand stock exchange. The incident was attributed to a distributed denial of service (DDoS) attack from offshore, impacting the network connectivity of the NZX exchange [103586, 103567]. This attack was described as a serious threat to New Zealand's critical infrastructure, indicating a failure in the design or security measures of the system that allowed such attacks to disrupt the operations. (b) The software failure incident related to the operation phase is evident in the articles as well. The disruptions and halts in trading at the NZX exchange were a result of network connectivity issues caused by the cyber attacks [103586, 103567]. The attacks overwhelmed the servers with internet traffic, leading to operational disruptions and forcing trading halts. This highlights a failure in the operation or functioning of the system when faced with external threats like DDoS attacks.
Boundary (Internal/External) outside_system (a) within_system: The software failure incident at the New Zealand stock exchange was primarily caused by a distributed denial of service (DDoS) attack originating from offshore. The attack overloaded traffic to the NZX websites and markets announcement platform, leading to network connectivity issues and trading halts [103586, 103567]. (b) outside_system: The failure was attributed to overseas hackers launching sophisticated DDoS attacks on the NZX, indicating that the contributing factors originated from outside the system. The attacks were described as coming through the global gateway, making it difficult to pinpoint their exact origin [103586, 103567].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: - The software failure incident at the New Zealand stock exchange was caused by a distributed denial of service (DDoS) attack, which overwhelmed the exchange's network with a flood of internet traffic, leading to network connectivity issues and trading halts [103586, 103567]. - The DDoS attacks were described as originating offshore, indicating that the attack was launched from outside New Zealand [103586, 103567]. - The attack was sophisticated and targeted critical infrastructure, showing a high level of determination and skill on the part of the attackers [103586]. - The network service provider confirmed that the internet traffic causing the disruption originated offshore, making it difficult to pinpoint the exact source of the attacks [103567]. (b) The software failure incident occurring due to human actions: - The failure to stop the cyber attacks on the New Zealand stock exchange has raised questions about New Zealand's security systems, suggesting potential shortcomings in human actions related to cybersecurity defense [103567]. - Experts have questioned the resources allocated and thresholds set for protecting against such attacks, indicating a potential human factor in the incident [103567]. - The disruption caused by the cyber attacks led to the activation of national security systems by the New Zealand government, involving agencies fighting cybercrime, which implies a human response to address the incident [103567].
Dimension (Hardware/Software) software (a) The software failure incident occurring due to hardware: - The articles do not specifically mention the software failure incident occurring due to hardware issues. The focus of the incidents reported is on cyber attacks, particularly distributed denial of service (DDoS) attacks, which overload the network and disrupt the services of the New Zealand stock exchange [103586, 103567]. (b) The software failure incident occurring due to software: - The software failure incidents reported in the articles are primarily attributed to cyber attacks, specifically DDoS attacks, which target the NZX exchange's network connectivity and websites, causing trading halts and disruptions [103586, 103567]. - The articles highlight that the DDoS attacks are aimed at overwhelming the targeted site with requests for access, indicating a software-related issue where the malicious software infects computers to generate excessive traffic [103586, 103567]. - Experts mentioned in the articles raise concerns about the security vulnerabilities possibly exacerbated by the increased number of people working from home during the COVID-19 pandemic, which could have contributed to the success of the cyber attacks [103586].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident in the articles is malicious in nature. The failure was caused by a series of distributed denial of service (DDoS) attacks from offshore hackers targeting the New Zealand stock exchange (NZX) [103586, 103567]. These attacks were intentional and aimed at disrupting the NZX's operations, leading to trading halts and network connectivity issues. The attacks were described as sophisticated and determined, indicating a deliberate effort to harm the system and cause disruption to critical infrastructure. Additionally, the activation of national security systems and involvement of government agencies to address the cyber attacks further highlight the malicious nature of the incident.
Intent (Poor/Accidental Decisions) unknown (a) poor_decisions: The software failure incident related to the cyber attacks on New Zealand's stock exchange was not due to poor decisions but rather due to deliberate actions by overseas hackers. The incident involved distributed denial of service (DDoS) attacks aimed at overloading the exchange's network connectivity, causing trading halts and disruptions [103586, 103567]. (b) accidental_decisions: The software failure incident was not caused by accidental decisions but rather by intentional cyber attacks targeting the stock exchange's systems. The attacks were described as sophisticated and determined, indicating a deliberate effort to disrupt the exchange's operations [103586, 103567].
Capability (Incompetence/Accidental) development_incompetence (a) The software failure incident occurring due to development incompetence: - The incident of the New Zealand stock exchange being disrupted by cyber attacks was attributed to overseas hackers launching distributed denial of service (DDoS) attacks [103586]. - Experts highlighted concerns about the sophistication and determination of the attackers, indicating a high level of skill and software availability for such attacks [103586]. - Prof Dave Parry from Auckland University of Technology described the attack as a "very serious attack" on New Zealand's critical infrastructure, emphasizing the rare level of sophistication involved [103586]. (b) The software failure incident occurring accidentally: - The articles do not provide information suggesting that the software failure incident was accidental.
Duration temporary (a) The software failure incident in the articles is temporary. The New Zealand stock exchange experienced interruptions and trading halts due to cyber attacks, specifically distributed denial of service (DDoS) attacks [103586, 103567]. The interruptions were not permanent as the exchange was able to resume trading after mitigating the attacks. The incidents were caused by external factors (cyber attacks) and were not inherent to the system itself, making the failures temporary.
Behaviour crash, other (a) crash: The software failure incident in the articles can be categorized as a crash. The New Zealand stock exchange experienced interruptions and trading halts due to network connectivity issues caused by overseas cyber attacks [103586, 103567]. (b) omission: There is no specific mention of the software failure incident being due to the system omitting to perform its intended functions at an instance(s). (c) timing: The incident does not seem to be related to the system performing its intended functions too late or too early. (d) value: The failure was not due to the system performing its intended functions incorrectly. (e) byzantine: The incident does not exhibit characteristics of the system behaving erroneously with inconsistent responses and interactions. (f) other: The behavior of the software failure incident can be described as a deliberate disruption caused by a distributed denial of service (DDoS) attack from offshore, leading to the crash of the stock exchange systems [103586, 103567].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, theoretical_consequence (a) unknown (b) unknown (c) unknown (d) The software failure incident impacted people's material goods and data. The New Zealand stock exchange had to halt trading multiple times due to network connectivity issues caused by cyber attacks, disrupting operations in various markets [103586, 103567]. (e) unknown (f) unknown (g) The software failure incident resulted in real observed consequences as trading had to be halted multiple times due to the cyber attacks on the New Zealand stock exchange [103586, 103567]. (h) The articles discussed potential consequences of the software failure incident, such as the disruption of critical infrastructure, questions about security systems, frustration, and disruption to market operations [103586, 103567]. (i) unknown
Domain finance (a) The failed system was intended to support the finance industry as it disrupted the New Zealand stock exchange operations, impacting trading activities [103586, 103567]. (h) The incident directly affected the finance industry, with the New Zealand stock exchange being disrupted by cyber attacks, leading to trading halts and connectivity issues [103586, 103567].

Sources

Back to List