The National Cyber Security Centre (NCSC) says a range of malicious actors are continuing to target significant New Zealand organisations.
Releasing its annual cyber threat report 2020 yesterday, the NCSC, which is part of the GCSB, said throughout the year, state-sponsored and non-state actors have shown their willingness to target New Zealand organisations in all sectors using a range of increasingly advanced tools and techniques.
“A common theme this year, which emerged prior to the COVID-19 pandemic, was the exploitation of known vulnerabilities in internet-facing applications, remote desktop services and virtual private network applications," said the centre's director, Hamish Beaton.
“This means organisations with poor security posture are more likely to become a victim of malicious cyber activity, and are much less likely to detect such activity before harm is caused."
Between 1 July 2019 to 30 June 2020, the NCSC recorded 352 cyber security incidents compared with 339 in the previous year. Thirty per cent of those were able to be linked to state-sponsored actors.
COVID-19 had created many opportunities for malicious cyber actors to steal data, commit financial crimes, undertake espionage or disrupt the systems of organisations with a pandemic response role, the report said.
"Throughout the COVID-19 pandemic, cyber criminals demonstrated a disregard for threat to life and livelihood.
"Organisations involved in the crisis response were targeted by cyber criminals, who sought to impair the operation of hospitals, and other medical services and facilities.
"This reinforces the importance of good cyber security practices within any agency or organisation that may be involved in crisis management and the provision of services to the public, as cyber criminals quickly seek to exploit crises for their own financial benefit.
Beaton said the number of incidents recorded by the NCSC represented a small proportion of the total incidents because the agency's focus was on providing support for nationally significant organisations and responses to potentially high impact events.
CERT NZ, which also released its latest quarterly report yesterday, recording 2610 reports from organisations and individuals for the three months to 30 September, 2020.
The difference in numbers reflected the different perspectives the two organisations have, with CERT NZ focusing on individuals and smaller organisations.
The NCSC's own cyber defence capabilities, dubbed Cortex, also continued to provide significant value, Beaton said
“Our analysis, based on a model which we had independently revalidated in 2019/20, indicates the detection and disruption of malicious cyber activity through the NCSC’s capabilities prevented $70 million in harm to New Zealand’s nationally significant organisations," Beaton said.
“This means that since June 2016, the NCSC has prevented harm from hostile cyber activity by approximately $165 million."
A series of DDoS attacks on the NZX and other New Zealand organisations have been an important focus for the NCSC recently, but occurred outside this reporting period.
The NCSC continued to build and grow New Zealand’s cyber defence capabilities, most recently through the successful pilot and initial delivery of Malware Free Networks (MFN), a scalable malware detection and disruption service.
“The delivery of MFN demonstrates the successful cooperation between public and private sector organisations and is an important part of the national strategy for increasing New Zealand’s cyber resilience," Beaton said.