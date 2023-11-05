Lisa Fong (National Cyber Security Centre) Credit: Supplied

Financial scams have overtaken state-sponsored attacks in the New Zealand threat landscape, according to the National Cyber Security Centre (NCSC).

The NCSC recorded 316 cyber security incidents it disrupted, detected, or advised on and analysis of these showed financially motivated activity exceeded state-sponsored threats for the first time. These also had a greater potential impact, the agency warned.

"Organisations in Aotearoa New Zealand are defending against an increasingly complex cyber threat environment," deputy director general Lisa Fong said in the agency's annual report, released today.

"We see heightened determination from cyber-criminal actors attempting to extort payment from organisations that are increasingly aware of – and resilient to – extortion and manipulation tactics."

Seventy-three incidents, 23 per cent of the total, were linked to state-sponsored actors, down from 34 per cent in 2022.

Fong said the growing availability of effective malicious cyber tools, compromised credentials, and vulnerabilities in public-facing infrastructure had made it easier for malicious cyber actors to work at scale and to cause "national-level" harm.

“Domestically, and internationally, the NCSC has seen heightened determination from cyber criminal actors attempting to extort payment from organisations,” she said.

The total of 316 incidents was down from 350 in 2022, reflecting a number of factors, including recent disruptions to cyber criminal infrastructure; the changing priorities or tactics of states; organisational cyber resilience and maturity, and the NCSC's increasing ability to disrupt activity before harm took place, Fong said.

Despite the drop in total incident numbers, the number detected by NCSC itself grew year-on-year and accounted for about a third of total recorded incidents.

The NCSC does not generally name the organisations attacked, however, it was reported in September that the Auckland University of Technology was being extorted by a ransomware gang calling itself "Monti".

Despite the attack, normal university operations reportedly continued and disruption was minimal. However, Monti threatened to release 60GB of data.

Cyber security firm Cyber Sentience warned in May that hackers were selling access to the IT systems of hundreds of New Zealand schools and tertiary institutes as well as data stolen from thousands of staff and students.

Cyber Sentience said the information was being traded on the dark web and it had found evidence of hackers using a Kiwi primary school website as a hacking training ground, Radio NZ reported.

“Developments in the NCSC’s cyber defensive capabilities have allowed us to scale some services to a significant number of organisations, and even to protect individual home users," Fong said.

The NCSC estimated its advice and capabilities prevented $65.4 million in harm to nationally significant organisations in 2023.

In June, for instance, the agency supported the provision of its Malware Free Networks capability to defend customers of "a major telecommunications provider".

“These increasing and deepening partnerships mean the NCSC is offering unprecedented threat protection, with millions of New Zealanders now benefiting from Malware Free Networks," Fong said.

Malicious cyber actors were adopting new techniques and technologies, challenging orthodox detection methods, NCSC reported.

With the rapid emergence of technologies such as generative artificial intelligence (AI), for instance, organisations seeking to benefit had to be prepared to govern their use, and control associated privacy and security risks, Fong warned.

The agency's report also offered insights including threat mitigations to recurring tactics used by malicious actors in high-impact incidents over the year.

"We encourage organisations to use these to identify opportunities to uplift their cyber resilience when they review their cyber security controls and governance – and to reach out for further support as needed," Fong advised.

Recently, and not without controversy, NCSC and New Zealand’s Computer Emergency Response Team (CERT NZ) functions were merged to form a lead operational cyber security agency.

