SecurityBrief New Zealand logo
New Zealand's leading source of cybersecurity and cyber-attack news
Partner content
Story image

An exclusive look at the NZ NCSC cyber crime report

By Matthew Lark
Mon 13 Dec 2021

Documenting the activities of New Zealand government agencies for the tax-paying public ensures one consumes a range of essential, if largely indigestible, reading matter. Annual reports often form a cornerstone of this unglamorous fodder, and many are long and unnecessarily tedious in their discourse and disclosures.

It's refreshing then to come across the 25-page Cyber Threat Report 2020/2021, for the fiscal year ending 30 June, from the National Cyber Security Centre (NCSC). The NCSC is located within the Government Communications Security Bureau, and this report was released in mid-November.

The NCSC describes itself as: "the lead organisation for  responding to cyber threats that could  have an impact on national security and wellbeing". This report focuses on giving details about major cyber security incidents the Centre has documented and, in some cases, prevented, engagements it has undertaken with a wide range of significant organisations and on trends observed in the cyber threatscape during the year.

Some statistics at a glance

In the 2020/2021 fiscal year, the NCSC recorded 404 incidents with a possible national impact, or affecting New Zealand's nationally significant organisations. This figure is up 15% from the previous year when 352 incidents were recorded. Suspected state-sponsored activity accounted for 28% of incidents this year, compared to 30% in the last.  

More significantly, incidents involving non-state actors with criminal or financial motivations rose from 14% in 2019/2020 to 27% in 2020/2021.

Unattributable incidents this year accounted for 26% of all incidents, which the NCSC describes as having "insufficient information to make any assessment about the actor responsible or their motivation, and  the suspected actor was recorded as unknown."

The Centre goes on to say: "The remaining share of incidents comprised proactive or preventative efforts, false positives, data leaks, or other incidents not associated with a suspected malicious actor."

NCSC estimates its interventions, advice, and assistance have prevented $119 million worth of harm in the year to 30 June 2021, an increase from $70.5 million reported in the year to 30 June 2020. This figure is based on incidents the Centre has prevented and the likely cost of incidents its assistance has prevented or aided in response to and recovery from malicious cyber attacks sustained by significant public and private entities. 

Engagement by NCSC with the wider community increased with 1872 engagements with 200 organisations, recorded in 2020/2021, compared with 1770 engagements with more than 250 organisations in the previous year.  

22 security information exchanges were hosted, compared with 20 in the previous year. 23 reports and advisories were issued to general customers, and 94 incident reports were delivered to customers.

Looking inside the numbers: Comment from inside and out

Lisa Fong is the director of the NCSC and has been employed by the GCSB since 2016. She was the bureau's Chief Legal Advisor and acting director before taking up her current role.  

Fong believes the rise of 13% in criminally or financially motivated incidents is the most significant figure expressed in this year's report.  Though the distinction between state and criminal actors becomes more blurred with time, she says motivation is the key difference between the two groups.

"Where we see state actors continuing to operate is in ways where they're trying to avoid detection because their outcome is strategic information. Whereas criminal and financially motivated actors may be looking to have impact to create leverage. The use of media during recent ransomware attacks is a good example. The persistence you're looking at  with state actors means they are willing to explore a range of different techniques whereas there may not be as much sophistication in use of tools by criminally and financially motivated actors," Fong says.
The unattributable incidents mentioned in this report are concerning but not surprising to Lisa.

"That's where we've caught the incident at an early enough stage that we can't actualy distinguish between whether or not its state sponsored or criminally or financialy motivated. That's significant in the sense that it demonstrates the sophistication of the tools now available to that criminally and financially motivated group, which they didn't have historically. It also potentially indicates significance of those safe harbours that state sponsored actors have been providing."

Chris Hails is a consultant with ZX Security in Auckland and a former employee of the NCSC. He believes the apparent increase in criminally motivated incidents is significant but not disproportionate.

"Overseas data will show cyber crime activity rising between 40% to 400% during COVID-19 lockdowns in 2020/2021 in particular, depending on country and industry sector. The ability to exploit staff working from home, where security controls may not be as effective, and where people are tired, stressed and vulnerable, has provided ripe pickings for offshore criminals," Hails says.  

To Hails, the percentage of unattributed incidents is no surprise. 

"Accurate attribution is incredibly hard given the skills of threat actors and their ability to anonymise their activity and use commoditised attack tools available freely online to any motivated offender," he remarks.  

Hails believes how the crime is committed matters more to New Zealanders than who commits it. 

"Cyber crime is a global business and many companies are relying on cyber risk insurance to provide cover for clean up and recovery. Attribution is of little interest as long as costs and resources to remediate and get back to business as usual as soon as possible, are prioritised," he says.
The NCSC records a 70% increase in the financial harm prevented as a result of its activities between this year and last year. Since June 2016, it estimates a total of $284.5 million worth of harm has been averted for nationally significant organisations, and Lisa Fong says the model and associated tools used to calculate these figures have been a collaborative and labour-intensive effort.

"We worked with a global consultancy to draw on international and domestically available data there was, to construct what is a reasonably conservative algorithm for the nature of the organisations we seek to support and the nature of the incidents we seek to detect and protect against. We've recently reviewd the methodology to make sure it remains fresh and have updated some of the international research that helps form that calculation. It remains valid and is conservative as we would rather undercount economic value than overcount it," she says.

Chris Hails acknowledges NCSC's effort regarding nationally important organisations but believes the full picture of financial losses for all New Zealand business sectors may look much darker. He cites the Australian Cyber Security Centre's self-reported losses from cybercrime, which its current annual report places at $33 billion. Based on that figure, Hails deduces that our total losses may be as much as $6.6  billion annually.  

"In New Zealand we don't know the full picture of harm from cyber crime due to fragmentation in reporting. But you can aggregate from data provided by NCSC, CERT, The New Zealand Police, the Privacy Commissioner, and other non-government entities like Netsafe, to provide a view. We need better coordination as they have in Australia to involve the banks and telcos, in data sharing and the aggregating of impacts across the country," Hails observes. "Victims can fall between stools here and be deterred from submitting a report."

Engaging with the public

Though it is not a regulator or enforcement agency, the NCSC is heavily involved in helping business in critical sectors such as education, logistics, energy and finance. Engagements range from phone calls or video teleconferences and the issue of reports to customers on incidents, to much larger dialogues like the 22 security information exchanges it facilitated in the 2020/2021 year. 

"Those are forums we facilitate in the public and private sector to enable technical specialists to come together in trusted environments to share information around threats and vulnerabilities they're observing in their sectors," Lisa Fong says. "These are environments where they might have useful insights which might not otherwise be shared commercially."

Fong says her Centre's part in these often lengthy exchanges is primarily dictated by those participating in them. 

"They are usually led by their members," she observes; "we provide a facilitative function and we can assist by providing content but we will take direction from members about what they want from us. They also determine membership of those groups," she says.

The Centre released two publications this year to assist businesses. 'Supply Chain Security: In Safe Hands' and 'Incident Management: Be Resilient,  Be Prepared'  are part of a series created by analysing 250 New Zealand organisations for the biggest cyber security challenges facing NCSC customers.

"What they're designed to achieve is a better conversation between technical parts of an organisation and governance layers, to make sure there's visibility of risks and greater governance and appropriate investment in those technological areas," Fong says.  

"In terms of uptake, we've found it has unfortunately been very relevant this year and there's been a great deal of interest in hearing from us about these resources. We make a deliberate effort to be available to brief boards and sectors who want to hear the latest from us."

Major events and incidents

The NCSC was involved in 3 major events during this fiscal year: the general election in October 2020, the hosting of the virtual APEC summit between November 2020 and November 2021 and the COVID-19 vaccine rollout. The lattermost has seen NCSC staff assisting everyone from medical service and transport providers, to government agencies like the Ministry of Health. All have required a wide range of help, as Fong relates.  

"For instance, supply chain risk and conducting risk assessments and ensuring cyber resilience is generally good in organisations that'll be critical to the rollout. They may be core government agencies as well as some smaller providers such as logistics companies. We've also been able to provide cyber inteligence reporting on cyber threats that might be specific to the rollout or which we've seen globally, that might indicate specific protective measures which need to be put in place."  

Fong believes public sector agencies in particular would have endured serious disadvantages without assistance from NCSC. 

"They would not have been able to backfill from the private sector, the intelligence threat reporting or the cyber defensive services they needed. The connections to our international partners were particularly critical to providing global insights both on intelligence and technological fronts."

Three major cyber incidents commanded NCSC attention this year also. They were a data breach at the Reserve Bank, a series of distributed denial of service attacks on the New Zealand Stock Exchange and a crippling ransomware attack on the Waikato District Health Board in May.  

"We were able to use our 24/7 incident response capability to deploy to Waikato DHB, and we also were able to provide system support connecting up different parts of government who needed to be involved in the response. We provided the lead on the technical incident response in this case," Fong says.

This incident is called a category two (highly significant) incident. The category is assigned in a matrix ranging from C6 (minor incidents) to C1 (national emergency).

Jamie, whose full name and title we've agreed not to disclose, is from NCSC's Cyber Threat Unit. On C2 incidents in general, he observes:

"that might involve us having people on-site with the victim organisation, providing advice and guidance. It might be undertaking forensic analysis, -  assessing what happened, what risk there is to the organisation, how to return it to a safe stage. We may have to make sure that we've effectively removed a malicious actor from a  network," Jamie says. 

At categories one to three, the NCSC will support commercial vendors of IT and security services which the victim organisation relies on. 

"When an incident reaches a threshold where it requires an all of government response, there is a National Cyber Security Response Plan on the DPMC's website, that sets out that response. We would typically play a lead role in coordinating that," says Jamie.

Looking forward 

For Lisa Fong, new partnerships and reaching out to new customers are focuses for the next fiscal year and beyond. The much-publicised launch of Malware Free networks through nine private sector partners is one example of NCSC ensuring it can produce customer-facing services which businesses outside the public sector can utilise. Fong cites another specific and less visible example of a new initiative that can involve more than just government agencies.

"In our cloud security templates we're really focusing on partnership. These see us working with cloud providers to make sure that the New Zealand Information Security Manual standards for government are integrated into cloud offerings. This means that there's continuous assurance available for public sector agencies wanting to increase their cloud uptake or conduct digital transformation. These aren't exclusive to the public sector and many government agency suppliers will want to adopt those standards as well and they're available to them."  

Public Interest Journalism Fund logo
Public Interest Journalism funded through NZ On Air.
Related stories
Top stories
Story image
Amazon Web Services / AWS
Zscaler, AWS accelerate onramp to the cloud with zero trust
Zscaler has announced an extension to its relationship with Amazon Web Services, as well as innovations built on Zscaler's Zero Trust architecture.
Story image
Aqua Security, CIS create software supply chain security guide
Aqua Securityand the Center for Internet Security have together released the industry’s first formal guidelines for software supply chain security.
Story image
Threat actors ramp up their social engineering attacks
As people get better at identifying potential threats in their inbox, threat actors must evolve their methods. Their new M.O? Social engineering.
Story image
Significant security concerns resulting from open source software ubiquity
"The risk is real, and the industry must work closely together in order to move away from poor open source or software supply chain security practices."
Story image
Sternum joins NXP, collaborates on IoT security and observability
Sternum has announced it has joined the software partner community of NXP Semiconductors, a manufacturer of and large marketplace for embedded controllers.
Story image
More than 90% of cyber attacks made possible by human error
The data are clear, with cyberattacks on the rise in recent years and the cybersecurity situation increasingly complex. 
Story image
Data resilience
Digital resilience in 2022 - A10 Networks releases new study
Of the 250 corporate organisations surveyed, as many as 95% showed high levels of concern for all aspects of enterprise digital resilience.
Story image
Ingram Micro launches vendor-backed security program
Ingram Micro has unveiled a new program intended to give resellers the effective offerings their customers need to stay safe in the evolving threat landscape.
Story image
Robotic Process Automation / RPA
rapidMATION helps Coates achieve success with landmark RPA solution
A strong Robotic Process Automation solution (RPA) can help solve many complex issues that businesses face daily. 
Story image
Network Security
Netskope announces zero trust network access updates
Customers can now apply zero trust principles across a range of hybrid work security needs, including SaaS, IaaS, private applications, and endpoint devices.
Story image
Flashpoint unveils security offering for school boards
Flashpoint has released its K-12 risk management and security offering to provide school boards and education security practitioners with tools to recognise, prevent and manage cyber and physical threats.
Story image
Data Protection
Thales solution supports DevSecOps teams with data protection
Thales' CipherTrust Platform Community Edition enables DevSecOps teams to deploy data protection controls into multi-cloud applications faster.
Story image
QuSecure partners with DataBridge Sites to showcase platform
QuSecure has partnered with DataBridge Sites to showcase its Quantum-as-a-Service (QaaS) orchestration platform, QuProtect.
Story image
Aqua Security launches cloud native security SaaS in APAC
Aqua Security has announced the general availability of cloud native security SaaS in Singapore, serving the broader APAC region.
Story image
Snowflake launches new cybersecurity workload for the data cloud
Snowflake has announced the launch of a new cybersecurity workload that enables cybersecurity teams to better protect their enterprises with the data cloud. 
Story image
New survey uncovers critical OT security challenges
While industrial control environments continue to be a target for cyber criminals, there are widespread gaps in industrial security.
Story image
Privileged Access Management / PAM
Delinea unveils new Secret Server features and improvements
Delinea has announced new features and enhancements to expand the capabilities of its Secret Server, including design updates and new security controls.
Story image
Hundreds arrested, millions seized in global INTERPOL investigation
A two-month-long investigation by INTERPOL this year involved 76 countries and clamped down on organised crime groups behind telecommunications and social engineering scams.
Story image
Greater API usage raises concerns for protection - report
Radware has released its 2022 State of API Security report, which shows a rise in APIs, with 92% of the organisations surveyed significantly or somewhat increasing their usage.
Story image
OCEG survey shows demand for connected GRC systems
The survey also revealed that many organisations lack visibility and connected processes to manage the increased velocity and volume of risks. 
Story image
Why is NZ lagging behind the world in cybersecurity?
A recent report by TUANZ has revealed that we are ranked 56th in the world when it comes to cybersecurity - a look into why we're so behind and what needs to be done.
Story image
Dark web
Cybercrime in Aotearoa: How does New Zealand law define it?
‘Cybercrime’ is a term we hear all the time, but what exactly is it, and how does New Zealand define it in legal terms?
Story image
Why the success of client collaboration projects depends on addressing these five warning signs
New tools, applications, and software have enabled project collaboration to continue remotely, both between employees within an organisation and with its clients.
Story image
10 Minute IT Jams
Video: 10 Minute IT Jams - An update from Rimini Street
Today we welcome back Daniel Benad, who is the GVP & regional GM for Oceania at Rimini Street.
Story image
Trend Micro unveils dedicated security for electric vehicles
The cybersecurity company has announced VicOne - dedicated security for the electric vehicles and connected cars of today and tomorrow.
Story image
Palo Alto Networks named Google Cloud technology partner of the year for security
Palo Alto Networks was recognised for helping organisations rapidly transform security operations for future success.
Story image
Schneider Electric and Claroty launch building security solution
Schneider Electric has announced the launch of Cybersecurity Solutions for Buildings, a solution designed to help buildings customers secure BMS.
Story image
Securonix partners with Snowflake, Zscaler in joint venture
Securonix is embarking on a joint technology integration with Snowflake and Zscaler to speed up threat detection and response at cloud scale.
Story image
Secure access service edge / SASE
Cloudflare adds new capabilities to zero trust SASE platform
New features for Cloudflare One include email security protection, data loss prevention tools, cloud access security broker, and private network discovery.
Story image
IT and security team collaboration crucial to data security
Many IT and security decision makers are not collaborating as effectively as possible to address growing cyber threats.
Story image
Varonis strengthens security capabilities for AWS and S3
Varonis has strengthened and expanded its cloud and security capabilities, with a critical aim of improving safety and boosting data visibility in Amazon Simple Storage Service (S3).
Story image
Q1 DDoS and application attack activity reveals surprise result
The cybersecurity threat landscape in the first quarter of 2022 represented a mixed bag of old enemies and new foes. New actors dominated the DDoS threat landscape while application security faced tried-and-true attack vectors.
Story image
ConnectWise reveals cybersecurity updates and partnerships
ConnectWise has unveiled new updates to its services and highlighted the importance of cyber insurance at its IT Nation Secure conference.
Story image
Digital resilience big concern for 95% of APAC businesses
A10 Networks finds of the 250 APAC businesses surveyed, 95% of them are very concerned about all aspects of enterprise digital resilience.
Story image
Ready for anything with the PagerDuty Operations Cloud
In a world of digital everything, teams face increasing complexity. Ever-growing dependencies across systems and processes put customer and employee experience, not to mention revenue, at risk.
Story image
Commvault's SaaS division experiences notable growth
Commvault has revealed the global momentum that its SaaS division Metallic has experienced since its launch two years ago.
Story image
New research shows global drive for passwordless authentication
A new study has shown there has been a significant shift towards wanting a passwordless future, but adoption is still in its infancy.
Story image
Rapid7 report examines use of double extortion ransomware attacks
New insight into how attackers think when carrying out cyber attacks, along with further analysis of the disclosure layer of double extortion ransomware attacks, has come to light.
Story image
How Wavelink fosters creativity and careers in the channel
Wavelink is a 100% channel business, with all sales flowing through its authorised reseller partners. It has been a B2B technology distributor for almost 24 years and offers a broad range of software across cybersecurity, mobility, networking, and healthcare.
Story image
LastPass announces new capability for iPhones and iPads
LastPass has announced its new save and fill experience, allowing customers to fill in, create and save their credentials directly within the site's form field.
Story image
Cyber attacks on industrial assets cost firms millions
Some 89% of electricity, oil & gas, and manufacturing firms have experienced cyber attacks impacting production and energy supply over the past year.
Story image
Airwallex, Xero extend partnership with easier invoice payments
Airwallex has extended its long-term partnership with Xero by releasing a new payment link integration for Xero invoices that will make receiving them easier and faster for Australian businesses.
Story image
BlackBerry launches new Zero Trust Network Access
BlackBerry has unveiled its latest AI-driven security offering, Zero Trust Network Access with CylanceGATEWAY.
Story image
Industry-first comprehensive risk-based API security enhances protection
Application Programming Interfaces (APIs) have become a crucial part of operating web and mobile application businesses and are causing significant economic growth in the digital sector.