The Government’s Computer Emergency Response Team (CERT NZ) is monitoring a cyber security attack which appeared to take down a number of major organisation’s websites this morning.
Kiwibank, ANZ, NZ Post and MetService. NZ Police all acknowledged that their sites were slow at times.
All came back online around midday, but CERT NZ posted a statement saying it was aware of a DDoS (Distributed Denial of Service) targeting a number of New Zealand organizations.
“We are monitoring the situation and are working with affected parties where we can.”
A spokesman for the GCSB’s National Cyber Security Centre said, “We are limited in any public comment we will make as we are aware that malicious cyber actors can follow what is reported publicly, and may change their behavior based on media reporting of their activity.
“DDoS attacks are not new, and most are repelled by organisations working with their service providers who are best placed to implement technical mitigations.”
Kiwibank down again
It is the second time this week Kiwibank, which is owned by NZ Post, the Superannuation Fund and ACC has had outage problems.
On Monday Kiwibank told customers it was having “continued intermittent issues” with some services including internet banking, its app, website and phone services.
Customers were also having to wait longer than usual to get through on the bank’s phone lines.
Yesterday the bank said on its social media platforms that its teams had worked to implement a fix overnight and all banking systems were up and running this morning.
“We’re continuing to monitor our systems and want to thank you for your patience and understanding as our teams worked to urgently resolve the issue. We are aware of the inconvenience this caused for many of our customers and apologise for this.”
But this morning it was back down again.
“We’re aware some of our services including Internet banking, our app and website are currently unavailable and we’re working on this urgently. We’ll keep you updated.”
The outage has prompted outrage from customers.
One man who contacted the Herald said it was the third time in a week Kiwibank’s services had gone down.
“Kiwibank is down, again. Third time in a week. So damn frustrating. Going to change banks when covid levels allow. Their service sucks!!”
Another woman on the bank’s Facebook page said she was trying to put in an order for meat.
“Come on guys! I have to pay for my meat so I can feed my family! Deadline is 12pm or it won’t be delivered till Friday.”
Others were frustrated at being unable to shop to get ready for school lunches ahead of schools reopening outside of Auckland under Delta level 2 restrictions.
“Seriously again, it’s school tomorrow guys so everyone has to get lunch food today.”
ANZ also reports issues
ANZ also posted to Facebook that it was having problems with its internet banking and goMoney app this morning.
An ANZ spokeswoman confirmed: “We are currently experiencing an outage in regards to internet banking that means customers are not currently able to access their accounts online.”
“Our team has been made aware and are working as quickly as possible to get this back up and running. We apologise for any inconvenience this is causing.”
NZ Post, MetService suffer issues
NZ Post was offline at times this morning and at other times loading quickly.
Sites often phase on and offline during a DDoS attack.
MetService tweeted that it too was having problems.
“An issue is currently affecting MetService.com and our apps. Traffic has been diverted to our backup site http://www2.metservice.com which contains all safety critical weather information for NZ. Thank you for your patience as we work to get these service back online,” the post read.
An NZ Post spokeswoman said its website was experiencing intermittent disruptions.
“NZ Post’s customer call centre and other customer facing systems are online and operating.
“The disruption is due to an issue that one of our third-party suppliers is experiencing. We are working closely with them; however, it is too early at this stage to understand when this issue will be resolved.”
She said the incident would not impact its delivery or processing services and its contact centre was still fully operational.
“We are, however, experiencing a high level of call volumes and ask that customers only contact us if their enquiry is about a parcel delayed longer than five days.”
Daniel Ayers, a cyber security expert, told the Herald on Monday he believed Kiwibank had been subject to a Distributed Denial of Service (DDoS) cyber attack.
In a DDoS attack the hackers overwhelm a site with thousands or millions of bots trying to connect to it at once, rendering it inaccessible. There’s no element of breaking into servers or stealing data.
Ayers said he was a Kiwibank customer and the first thing he noticed was that he couldn’t use mobile or internet banking.
“I noticed that five hours previously someone else had been having a few problems and I thought gosh that is quite a big outage.”
He said he did a bit of investigating and discovered Kiwibank used internet provider Vocus. Vocus had a major outage on Friday after it came under a DDoS cyber attack.
Ayers said the fact there was intermittent access to Kiwibank’s online services and the connection to Vocus meant it could be a DDoS attack.
“If there was just an ordinary connectivity problem when they fix it, they fix it.”
On Monday the Herald asked Kiwibank’s spokeswoman if the bank had been subject to a cyber attack the spokeswoman said it had identified the cause and was working hard to fix the issue.
She did not say what the cause was.
“Our priority at the moment is continuity of service for our customers. We apologise to our customers for any inconvenience caused and thank them for their patience and support.”
Vocus said on Monday that Kiwibank was not the Vocus customer targeted by its DDoS attack three days ago.
“Friday’s attack was on a customer, not on the Vocus network,” a Vocus spokesman said.
“The Vocus network wasn’t under attack then, and it isn’t now.”
Ayers said history showed from last year’s NZX cyber attack that a DDoS attack can take out organisations other than the ones that are targetted as it could overload the provider’s capacity.
Ayers said a DDoS attack was not a fraud threat in terms of someone stealing people’s money.
“But it will prevent you from spending money.”
That would cause inconvenience for customers.
“It does seem that Kiwibank has failed to learn from the experience of NZX.”
He said one of the things that hurt the NZX was having its internet domain name servers on the same network as everything else so when they had the denial of service they were knocked out and the same thing appeared to have happened to Kiwibank.
“After the NZX experience if DDoS attacks weren’t seen as a real threat beforehand they certainly would afterwards.”