New Zealand’s National Cyber Security Centre (NCSC) reports that 38% of 339 incidents it responded to in the year since 30 June 2018 were likely from state-sponsored hackers.
NZ’s NCSC revealed the detail in its annual Cyber Threat Report released last week, following equivalent reports released in October by the Australian Cyber Security Centre (ACSC) and the UK’s National Cyber Security Center (NCSC).
NZ NCSC said the proportion of state-sponsored attacks detected in the 2018-2019 reporting period were about the same as the previous year, however the current period’s attacks had a greater impact because they were detected later or “post-compromise”. This allowed attackers to cause more damage than attacks detected prior to compromise or “pre-compromise”.
NCSC said most “pre-compromise” incidents in New Zealand occurred through phishing, compromised websites, credential harvesting and brute force attempts on credentials.
“Post-compromise” incidents include attacker efforts to persist on a compromised network and steal data or disrupt IT systems. This year, NCSC’s post-compromise responses accounted for 17% of all incidents it responded to.
“These types of incidents range from internal network reconnaissance and keystroke logging, to encrypting, locking or exfiltration of files. Remediation of incidents that reach the post-compromise phase can have significant impacts for the affected organisation, depending on the nature and extent of the intrusion,” NCSC noted.
NZ NCSC noted that the 339 attacks it addressed were a small proportion of overall cyber security incidents impacting the nation because it is tasked with focussing on “high impact events and nationally significant organisations”.
In the 2018-2019 period, NCSC contributed to the New Zealand Government publicly attributing hacking campaigns to two nations, which included activities by Russia and China.
In October 2018, the Director General of NCSC parent organization, the Government Communications Security Bureau’s (GCSB) condemned Russian military General Staff Main Intelligence Directorate (GRU) for the Bad Rabbit ransomware.
Bad Rabbit hit systems in Ukraine and Russia in late 2017, following the WannaCry outbreak in May that year and the NotPetya attacks in June. The Five Eyes alliance — which includes the US, Australia, New Zealand, the UK and Canada — blamed WannaCry on North Korea, while they attributed NotPetya to Russia.
New Zealand’s GCSB also joined Australia, the UK and US in accusing China-backed hacking group APT10 for attempts to compromise IT managed service providers to access intellectual property from enterprise customers. ATP10 has been on the radar for security researchers since 2009.
NZ NCSC said it detects about 12 hacks affecting one more more organizations in the country through its CORTEX system, which is used to alert select critical infrastructure providers of nationally significant cyber threats and sophisticated malware. NCSC shares CORTEX data with Five Eyes agencies if it relates to a cyber attack on New Zealand.
NZ NCSC also received on average 16 new incident reports from organizations each month outside the view of CORTEX.
Cybercrime incidents that NCSC responded to in 2018-19 total 27 incidents, which typically stemmed from unpatched flaws or a lack of multi-factor authentication.