Cybersecurity expert Tony Grasso joined Nine To Noon to talk about some big hacks or Dedicated Denial of Service attacks, including the one on the NZX, a ransomware attack on gaming blockbuster Cyberpunk 2077 and the near-successful attack on a water treatment plant in Florida which would've pumped sodium hydroxide into the city's water.
Grasso tells Kathryn Ryan there are elements of the Financial Markets Authority (FMA) report into the NZX DDoS attack, which went on for six days, that have left him with more questions.
Photo: 123RF
“Yes, they were criticised for not having an adequate IT department on the inside to help deal with this kind issue, but they have done what many other organisations have done – they’ve outsourced it – and it was not mentioned in the report how the outsourcing firms responded.
“I know what it’s like being at the top and you’re having to make decisions and somebody sells you an idea or a concept, you’re paying a monthly fee and they say they’ll look after you because they’ve got this widget, or they’ll help you when you have an incident. But none of those firms were actually included in report.”
He says the NZX may have been sold a service which promised to take care of situations like the one that occurred, but it’s not good enough for a head of IT to leave it there.
“I accept that, but I do think the report needs to be more balanced because other firms are going to be reading this.”
The legal teams of corporations should also be involved in third party contracts to make sure there’s a liability and fair portion of blame when things go wrong.
“The contract needs to change so that they legally do have to make a statement for the organisation as well and share that responsibility because their brand is hurt, and it helps everybody up their game.”
And everybody upping their game is a pertinent issue as the Florida water treatment plant attack shows. Grasso says hackers radically turned up the supply of sodium hydroxide in the water.
“It would hurt people if you drank the water, it’s a strong alkaline.”
Luckily, an incident response person was monitoring the systems and noticed the sodium hydroxide had been increased.
However, Grasso says it was indeed a lucky spot and security is more or less ‘tacked on’ to things like water and gas plants. He says there should be a valuable lesson for New Zealand in there.
“To a certain extent, I think we feel that because of where we’re geographically located, we’ll be fine but that’s not how it goes.”
On a less serious spectrum of attacks was the theft of files from CD Projekt Red’s new game Cyberpunk 2077.
“It’s been a well waited for game. The amount of money it made on its first couple of days was in the hundreds of millions.”
Grasso says a group went in and did a ransomware attack, meaning they’ve locked and encrypted key files for the game, demanding that CD Projekt Red pay a ransom to unlock it.
“It was a well-orchestrated attack because it encrypted all of their back-up systems as well and they’re now bringing them back up online. What they don’t say in the story is whether they paid the ransom – I’m almost certain that they would have… I’m pretty sure they don’t have much choice.”
