The National Cyber Security Centre recorded 7122 security incidents in the year to July 2024. Photo: 123RF
The government's cyber security office says New Zealand organisations are increasingly the target of state-linked Russian cyber spies.
In its annual threat report the National Cyber Security Centre said the country was facing more complex security threats from both criminals and other nations - recording 7122 security incidents in the year to July 2024.
Its publication came at the same time as CyberCX's own report into security threats, which found multi-factor authentication was no silver bullet for cyber security.
The NCSC said the overwhelming majority of attacks it responded to targeted individuals and small to medium businesses, resulting in $21.6 million of reported losses.
The security office said the remaining 343 incidents had the potential to be nationally significant - an increase of 27 on the previous year.
Over 100 of those were linked to state-sponsored actors and 65 marked as being criminally or financially motivated.
The report said New Zealand's global ties and technological innovations made it a target, with state-sponsored hackers continuing to show their determination to access valuable intelligence.
It said the Russia-Ukraine conflict had increased the cyber threat to New Zealand, citing a rise in Russian state-linked malicious cyber activity and pro-Russian hacktivists targeting government organisations.
It said it was becoming more and more difficult to link such attacks to state-sponsored groups, and a proportion of unattributed incidents were likely state-linked.
"Additionally, there is the potential that some criminal groups are being directed by states, or at least have tacit approval to conduct malicious cyber activity that aligns with state interests."
Government Communications Security Bureau (GCSB) deputy director-general cyber security Lisa Fong told Checkpoint it was a very complicated scene.
"We seeing a range of different tools being used by both criminally motivated and financially motivated actors, as well as state sponsored actors and the range of victims is also broad."
There were a range of steps people could take whether they were an individual, a small to medium-sized enterprise or a large business, she said.
Fong said although the Russian Federation and People's Republic of China had been referred to as state-sponsored actors, "there are now an increasingly broad range of state-sponsored activities we're seeing in the New Zealand operating environment."
It was becoming increasingly difficult to attribute particular activities to a particular criminal, she said.
"There's a fantastic range of techniques being used by malicious cyber actors, some of those are reasonably low level in terms of their sophistication, however, that's because individuals and organisations might be leaving themselves vulnerable or might be unaware of the steps they could take to protect themselves, so it's not necessarily the most sophisticated activities."
The vast majority of the targets for the state sponsored actors were in the government and the defence sector, she said.
"I'd say that points to ... interest in both the intellectual property but also the sort of strategic information held."
Asked how New Zealand was holding those states which supported criminal cyber activity here responsible, Fong said it was "publicly, privately and through our defensive measures".
"In March 2024 with our first public attribution of APT40, a state sponsored threat actor who had made their way on to two democratic institutions, it's really important that we draw a line in the sand around protection of our values and institutions as New Zealanders."
The report said the compromise of business or corporate email accounts was a growing concern and that it was becoming increasingly profitable for criminals.
Fong said there was a concern that criminals could take credentials such as identity or access information from large data spills or insecure systems.
"[This could] look really authentic, both internal to a company as well as external.
"So we're really focussed on making sure that companies are aware of the ways in which their identity and their access into their system can be locked down in what we call zero trust ways so that only people who are authenticated can be operating on their systems."
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
