The National Cyber Security Centre is reporting that New Zealand organisations are facing an increasing risk of successful compromise by state-sponsored attacks.
Seventeen per cent of the incidents identified during the year to the end of June 2019 were characterised as "post compomise" (see chart).
The NCSC's annual cyber threat report, released yesterday, said 38 per cent of the cyber incidents it identified had links to state sponsored actors in the year to the end of June 2019.
"While this is the same proportion as the previous year, a greater number of state sponsored linked incidents were characterised as post-compromise," the report said.
"State-sponsored cyber activity is generally more sophisticated than criminal or non-state activity, a reflection of the greater resources and motivations of the state."
State-sponsored incidents impacted a variety of New Zealand organisations in multiple industries, the report said.
"Organisations in both the public and private sectors hold a wealth of information that is attractive to other states, from intellectual property for new technology innovations through to customer data, business and pricing strategies or government positions on sensitive topics."
The sophistication of the attacks can also increase the difficulty of
detecting and mitigating activity.
The NCSC defines a cyber security incident as an occurrence or activity that appears to have degraded the confidentiality, integrity or availability of data within an information infrastructure.
The agency groups incidents into two categories with four phases: the pre-compromise category comprises preparation and engagement phases, while the post-compromise incidents category comprises presence and effect phases.
The goal of post-compromise incidents is to ensure ongoing access to a network, and to exfiltrate data or disrupt infrastructure or systems, NCSC explained.
"These types of incidents range from internal network reconnaissance and keystroke logging, to encrypting, locking or exfiltration of files," the agency said.
"Remediation of incidents that reach the post-compromise phase can have significant impacts for the affected organisation, depending on the nature and extent of the intrusion."
The NCSC became aware of a sophisticated cyber actor exploiting a known vulnerability in a web server software component used by a number of New Zealand organisations, it said by way of example.
"When exploited, actors could install malware to obtain ongoing access to compromised servers. Analysis by the NCSC determined the actor then used this access point to move deeper into the network, by deploying password stealing tools such as Mimikatz or exploiting other vulnerabilities on the wider network."
The NCSC said it worked with the organisations known to be using the web server software component to identify the scope of the compromise, review the actor’s activity, and provide remediation advice to secure the networks.
"Out-of-date software remains a key weakness affecting the cyber security of New Zealand organisations," the agency said.
"This can be addressed through security patching, and should also include assessing the security of the components included in software products, such as website modules or extensions."
The NCSC is a unit of the Government Communications Security Bureau (GCSB).