GCSB report reveals sophisticated attacks, boosts cyber resilience amid rising espionage and ransomware
The New Zealand’s National Cyber Security Centre (NCSC), a part of the Government Communications Security Bureau (GCSB) revealed that the country faced increasingly sophisticated cybersecurity threats from criminal entities and foreign state actors. In its inaugural year as New Zealand’s primary operational cybersecurity agency, the GCSB report disclosed a total of 7,122 cybersecurity incidents for the period ending June 30, 2024, highlighting growing challenges and complexities in safeguarding the nation’s digital infrastructure. It also identifies and analyzes some of the common, recurring techniques that malicious cyber actors have used in cyber incidents.
“This year’s report illustrates how malicious cyber activity affects every part of New Zealand society. Good cyber security awareness and practices help to protect against the harm this malicious activity can cause,” Lisa Fong, deputy director-general cyber security at the GCSB, wrote in the agency’s Cyber Threat Report 2023/24 report. “This report encourages familiarity with the cyber landscape and better understanding of the techniques and tactics used by malicious cyber actors, and recommends steps to mitigate them. Through good decisions and action, New Zealand can become a place where good cybersecurity happens everywhere, all the time, by everyone.”
The GCSB report revealed that state-sponsored malicious cyber activity endures and primarily poses an espionage threat to New Zealand organizations. This year, the NCSC has observed a wider range of state-sponsored malicious cyber activity and some heightened activity from traditional adversaries. While the number of incidents that can be linked to state-sponsored actors (110 incidents, or 32 percent of incidents of national significance) is up 8.5 percent on the previous year, it is broadly consistent with the proportion of recorded state-sponsored incidents over the previous five years. These have ranged from 33 percent in 2019/20, 28 percent in 2020/21, and 34 percent in 2021/22. An exception was a decrease to 23 percent in 2022/23.
During 2023/2024, NCSC recorded 343 incidents of potential national significance. “While this figure is 8.5% higher than the previous year’s incidents, it is close to the yearly average of 353 recorded by the NCSC in the past five years. The proportion of incidents attributed to suspected state-sponsored actors and criminal or financially motivated actors has also remained relatively consistent over this five-year period.”
The GCSB report revealed that incidents arising from the actions of financially motivated malicious cyber actors predominantly involved organizations in the health care, information media and telecommunications sectors. The healthcare sector is a common target in financially motivated cyber activity, as disruption to critical services is more likely to increase the possibility of a ransom payment. Growing global connectivity and software supply chains also make it more likely that financially motivated ransomware incidents overseas could have indirect downstream effects for New Zealand organizations or critical services.
The report added that New Zealand’s international relations, involvement in global organizations, technological innovations, and research, means that the nation holds information that is likely of high intelligence value, and state-sponsored cyber actors continue to demonstrate the intent and capability to target the nation’s infrastructure for its acquisition. “The tense geopolitical environment – including the rise of hacktivism, fallout from the Russia-Ukraine conflict, and acceleration of disruptive cyber capabilities – has almost certainly increased the cyber threat to New Zealand organizations. The NCSC has seen this reflected in cyber incidents in a number of ways, including an increase in Russian state-linked malicious cyber activity and pro-Russian hacktivists targeting multiple New Zealand government organizations.”
The GCSB report also addressed New Zealand is increasingly experiencing incidents in which sophisticated cyber criminals are using their capabilities and wider resources to scale their operations.
“Ransomware has remained a persistent threat to New Zealand’s nationally significant organizations, smaller businesses and even schools. Disruption efforts, such as arresting actors and taking down infrastructure, have resulted in a decrease in financially motivated cyber incidents this year,” according to the report. “However, it is expected that this will only be temporary as groups diversify and rebuild. Ransomware actors continue to take advantage of exfiltrated data to extort payment from their victims, increasing the potential for reputational and economic harm, and impact to critical services.”
Furthermore, the report identified that dominant ransomware players continue to target high-profile victims. “Extortion activity in New Zealand was not only limited to ransomware; victims also experienced disruptive distributed denial-of-service (DDoS) activity in lieu of encryption or data leaks.”
The GCSB report added that the scale and impact of online scams and cyber-enabled fraud is rising in New Zealand, enabled through the growing use of social media and cryptocurrency. The compromise of business or corporate email accounts is of growing concern and is becoming increasingly profitable for criminals. This is because it enables cyber criminals to pretend to be trusted organizations, making it more likely for people to provide personal information. Victims are experiencing significant personal, reputational and financial harm as a consequence of this activity.
Data also revealed that the proliferation of cyber capabilities has lowered the barrier of entry for malicious cyber actors, providing access to more sophisticated skills and techniques. Offensive cyber tools and services (including spyware), once only available to well-resourced countries who could develop them internally, are now widely accessible to states and cyber criminals.
“Cyber threat actors will likely continue to experiment with new tradecraft and technologies, but success does not necessarily rely on these,” according to the GCSB report. “The threat to victims from simpler, long-standing methods, such as phishing to deploy malware or vulnerability exploitation, is still prevalent across New Zealand’s domestic cyber threat landscape, from individuals to our nationally significant organizations.”
The report also revealed that phishing and credential-harvesting continue to be the most common incidents reported by organizations, despite a 31 percent decrease from the previous year. This category was the second-most common incident reported by individuals (after scams and fraud) despite decreasing by 19 percent. The prevalence of this incident type is largely due to its use ranging from unauthorised money transfer to ransomware.
“In 2023/2024, the NCSC handled 658 reports of unauthorised access through its general triage process,” the GCSB report pointed out. “601 reports impacted individual New Zealanders, and 57 reports impacted organizations – a 23% and 27% decrease from the previous year, respectively. A significant portion of these reports involve cyber threat actors gaining unauthorised access to social media accounts.”
The agency also reported that heightened tensions within the international landscape have driven cyber threat actors to break further away from rules-based international systems. State-sponsored cyber actors are increasingly demonstrating a disregard for the norms of responsible state behaviour online. The number of malicious cyber actors aspiring to target systems supporting Western critical infrastructure is also increasing. It is possible that disruptive malicious cyber activity linked to conflict could escalate and impact Aotearoa New Zealand.
“Ongoing global tensions, including Russia’s invasion of Ukraine, have almost certainly generated a significant amount of targeted intrusion and hacktivist cyber activity globally in 2023/2024, including against New Zealand organizations,” according to the GCSB report. “Likely emboldened by the invasion, Russia-aligned cyber actors have continued targeting Russia’s neighbours and New Zealand’s like-minded partners. While not to the extent many expected, malicious cyber activity in support of Russia and Ukraine has persisted into 2024.”
It also assessed that malicious actors continue to use living-off-the-land (LOTL) tradecraft for avoiding detection and maintaining persistence on networks. This technique is used by both state and non-state actors, though it is likely favoured by state-sponsored actors who are attempting to maintain access for espionage and data exfiltration over long periods of time.
Another interesting highlight from the GCSB report was that some cyber criminal syndicates are no longer hesitant to target individuals or organizations where there may be retribution, or where cyber attacks were perceived by some as unethical, for example against hospitals. Victim harassment, including threat to life, is also being increasingly leveraged against employees of organizations to exert pressure to release payment.
Moreover, this new generation of cyber threat actors is challenging these accepted rules in pursuit of profits, regardless of potential risk to innocent lives or possible consequences from attacking critical infrastructure. Combined with this less-restricted approach to victim selection, these actors regularly alter the type of cyber criminal activity they conduct. This makes their behaviour unpredictable and therefore more difficult to respond to.
In conclusion, the GCSB report found that for New Zealand organizations, the impact of cyber incidents can range from temporary inconvenience to significant disruption of critical public services. Organizations that experience cyber incidents can lose important data or the use of systems, sometimes irretrievably, as well as experiencing diminished public or customer trust.
link
