WIXLIB

CYBER THREAT REPORT 2020/2021What’s theharm?In 2020/21, detectionand disruption activitiesundertaken by the NCSCprevented an estimated 119 million of harm to NewZealand’s organisations ofnational significance. Thisfigure reflects incidentswhere NCSC engagementsprotected nationallysignificant networks fromimminent threats thathad the capacity to causemany of the victims affectedsuch as losses causedserious harm, or whereby 2020/21 incidents.by intellectual propertyour response prevented orreduced the harm caused bysophisticated and targetedattempts to compromisecustomer organisations.The increase from 2019/20’s 70 million dollar harmreduction calculationreflects the increase inrecorded incidents, as wellas the scope of the NCSC’sassistance to victims, andthe critical economic rolesand services provided byIn 2020/21, the NCSC recorded 1872engagements with 200 organisations,and published a range of securityadvisories about threats to AotearoaNew Zealand organisations. Securityadvisories for general customersshare information about specificvulnerabilities or types of maliciouscyber activity seen targeting AotearoaNew Zealand networks. They mayincorporate technical indicators andmitigation advice that security teamscan use to strengthen their defences.Threat information and best practiceguidance are also generated bypublic and private organisations andthe information security industry.The NCSC assists the facilitationof information sharing amongorganisations facing similar threatsand challenges – especially wheresharing requires a high level of trust.This primarily happens throughSecurity Information Exchanges (SIEs)focused on critical infrastructure. In2020/21, the NCSC co-chaired 22 SIEs.Participants include key organisationsin the energy, finance, networkprovider, government, transportand logistics, and tertiary educationsectors.theft, including copyrightIn 2016, the NCSCcommissioned independentresearch to devise a modelthat could measure thebenefits provided by ourinterventions. The modelwas reviewed and updatedin 2020 to ensure it betterreflects internationalstudies about the averagecost of cyber incidents tospecific sectors. It factorsin important impacts,and patent infringement.While assigning a dollarvalue to harm preventioncan provide a usefulbenchmark, many of theimpacts of cyber harmare intangible. Loss ofpublic confidence andtrust, reduced health andwellbeing, and hesitance toadopt new technologies canall eventuate when cyberresilience is low.Support tomajor eventsparties and candidates in the lead-upPlanning for major national eventsNovember 2021, Aotearoainvolves preparing for the possibilityNew Zealand hosted the virtual APECthat a cyber security incident could2021 forum. The NCSC assistedcause disruption and reputationalagencies involved to ensure the virtualharm. The NCSC has a framework inhosting platforms used to facilitateplace for supporting the cyber securityonline meetings were secure, andrequirement of major events. Thisthat risk assessment and mitigationinvolves proactively evaluating andprocesses were in place to protectpreparing for cyber threats from state-participants. By successfully adaptingsponsored actors, issue-motivatedto hosting APEC virtually, Aotearoagroups, and criminals.New Zealand played a leadershipIn 2020/21, three significant eventsdrew NCSC involvement. In additionto supporting the COVID-19 vaccineto the election.Between November 2020 androle in championing the APEC goal ofbuilding an open, dynamic, resilient,and peaceful Asia-Pacific community.rollout, the NCSC provided servicesand advice to ensure the October2020 General Election was freefrom cyber interference. Free andfair elections are integral to ourdemocracy. While the GCSB does nothave any role in monitoring politicaldiscussion or free speech in AotearoaNew Zealand, it is alert to the factthat foreign interference is a growingthreat globally and domestically.The NCSC worked with the ElectoralCommission to help protect its coresystems and online presence. TheNCSC also worked alongside relevantagencies to provide protective securityand cyber security advice to politicalRansomware is a type ofmalicious software (malware)designed to disrupt the use ofcomputer systems and files untila ransom is paid. Crypto malwareis a specific form of ransomwarethat encrypts files and requiresa key – usually held for ransomby the malicious cyber actor – toreverse the encryption.5

6CYBER THREAT REPORT 2020/2021Supporting theCOVID-19vaccine rolloutvaccine rollout. The NCSCacknowledged involvementa threat to people’s safetyidentified points in thein the DHB’s recoveryand wellbeing. Part ofvaccine supply chain thatefforts. The reasons for thethe NCSC’s role was tocould be vulnerable toNCSC’s participation weresupport the DHB in safelyAs part of Aotearoa Newmalicious cyber activity.twofold: first, the NCSCrestoring services. TheThis information fed intowas ready to respond toNCSC also co-ordinatednational risk managementany malicious cyber activitya wider defensiveplanning.that had the capacityresponse, working to shareto disrupt the country’sinformation, and manageCOVID-19 response.cyber security risk toSecond, the incidentthe rest of Aotearoadegraded healthcareNew Zealand’sservices and representedhealthcare sector.Zealand’s response toCOVID-19, the NCSCextended support andadvice to healthcare,logistics, transport, and ITsystem suppliers involvedin all aspects of the nationalIn May 2021, the WaikatoDistrict Health Board (DHB)experienced a ransomwareincident. The NCSC publiclyWho the NCSCworks withThe NCSC works with a number ofpartner organisations to build acohesive line of cyber defence. Ourprimary international relationshipsare with the cyber securitycomponents of the Australian SignalsDirectorate (ASD), the CanadianSecurity Establishment (CSE), theUnited Kingdom’s GovernmentCommunications Headquarters(GCHQ) and the National SecurityAgency in the United States (NSA).Aotearoa New Zealand’s CyberThe NCSC values keySecurity Emergency Response Planpartnerships with the private(CSERP) sets the framework for thesector. During incidents, thegovernment’s response to a cyberNCSC typically works with supplierssecurity emergency, and prescribesto the affected organisations duringthe NCSC as the lead agency inthe secure restoration of services.Aotearoa New Zealand for incidentsThe NCSC is partnering with servicecategorised as cyber emergencies.providers to deliver more securityThe NCSC works with CERT NZ,offerings and enhanced securitywhich provides general supportcapabilities.to businesses, organisations, andindividuals affected by cyber securityincidents, and with New Zealand Police,which is responsible for investigatingcrimes that happen online.At a broader scale, the NCSC supportsthe government’s wider digital anddata goals in support of the nation’seconomic recovery and AotearoaNew Zealand’s wellbeing. This workRespectively, their cyber securityCyber security resilience is centrallyincludes contributing to some keycomponents include the Australianimportant to ordinary businessstrategies: the Digital Strategy forCyber Security Centre (ACSC), theoperations. The NCSC works closelyAotearoa, the Strategy for a DigitalCanadian Centre for Cyber Securitywith technology and investmentPublic Service, the Data Investment(CCCS), the United Kingdom’s Nationaladvisors, including the MinistryPlan and the National Cyber SecurityCyber Security Centreof Business, Innovation andStrategy, led by colleagues in the(UK NCSC) and NSAEmployment (MBIE) and the OverseasDepartment of Internal Affairs,Cybersecurity.Investment Office.MBIE, Statistics New Zealand and theNational Cyber Policy Office.

CYBER THREAT REPORT 2020/2021Cloud securityRegulatoryfunctionsAs part of the GCISO’s role to build and maintain a high level of cyberAotearoa New Zealand’sresilience and awareness in the public sector, in 2020/21 the NCSC beganbuilding NZISM baseline cloud security templates. These templates,developed in partnership with cloud service providers, better enablegovernment agencies which are adopting cloud services to identify howtheir security controls and principles can be brought in line with bestpractice standards outlined in the NZISM. By using these templates,organisations will better understand their environments’ level ofcompliance with relevant principles and controls, and be able to easilyimplement and continuously monitor their cloud services use to ensurethey are maintaining a base level of protection.telecommunications networksare a core part of New Zealand’scritical national infrastructure.Organisations and individuals relyon network providers for safe andsecure access to digital capabilities,and the secure provision oftelecommunications services.The purpose of theTelecommunications (InterceptionCapability and Security) Act 2013The Government ChiefInformation SecurityOfficer (GCISO)The GCISO’s efforts are also focused(TICSA) in relation to network securitytowards supporting the secureis to prevent, mitigate, or removedigital transformation of the publicsecurity risks arising from the design,service. The GCISO uses specialisedbuild, and operation of publictelecommunications networks, orThe Director-General of the GCSBknowledge of international bestpractice and Aotearoa New Zealand’sfrom the interconnection of publiccyber threat landscape to help informtelecommunications networks tothe information security standardsnetworks in Aotearoa New Zealandfor the public sector so they areor overseas.holds the role of the GovernmentChief Information Security Officer(GCISO), and is responsible forproviding leadership and advice aboutinformation security risks across thepublic sector. The GCISO functiondraws on the technical capabilitiesof information security professionalsfrom the GCSB, particularly the NCSC.Leveraging this expertise, the GCISOidentifies solutions to commonsecurity challenges, ensures effectivepolicy settings are in place across thepublic sector, and supports nationalincident response efforts.appropriate, responsive, and relevant.GCISO develops and maintains theNew Zealand Information SecurityManual (NZISM), enabling digitaltransformation by setting highstandards for information technologyand communication systems. Asthe keystone information securitypolicy-setting organisation, GCISOworks closely with the functional leadsincluding the Government Chief DigitalOffice (Department of Internal Affairs),Government Chief Data Steward(Statistics New Zealand) and theCloud Services provideconvenient, on-demand networkaccess to shared pools ofcomputing resources (such asservers, storage, and applications).Government Protective SecurityLead (New Zealand SecurityIntelligence Service (NZSIS)).7

8CYBER THREAT REPORT 2020/2021Privacy Act 2020Cyber defencetelecommunications networkOn 1 December 2020, AotearoaAotearoa New Zealand’s reputationoperators are required to engageNew Zealand’s new Privacy Act 2020as a place to invest, innovate,with the GCSB, via the NCSC, aboutcame into force. Organisationsand embrace technology needs anetwork changes or developmentsthat carry out business in Aotearoacyber security culture that peoplethat intersect with national security.New Zealand are bound by the Actrespect and trust. The NCSC buildsMany of these changes are currentlyregardless of where they are based.collaborative relationships with ourdriven by cloud adoption, increasedThe law requires organisations thatcustomers, and offers defensivedemand for remote working, thesuffer a significant breach that eithertools and capabilities to consentingrollout and expanded capacity ofhas caused or is likely to cause anyoneorganisations that choose to consumefibre optic cabling, and the transitionserious harm to report that incident tothem. Increasingly, the NCSC is seekingto 5G services. In the 2020/21 year,the Privacy Commissioner.out innovative ways to provide threatPart 3 of TICSA establishes aframework under whichthe GCSB received 141 notificationsfor assessment of network changes.A significant number of these relatedto the rollout of 5G and full-fibreWhile not every breach of privacy isthe result of a cyber security incident,many organisations affected byinformation to organisations involvedin supplying IT or network services toNew Zealanders.cyber security incidents will need toThe NCSC can deploy defensivereport privacy breaches. When highcapabilities, including those developedThe GCSB’s other regulatory mandatesimpact incidents prompt the NCSC’sthrough the CORTEX project, toare derived from the Outer Spaceassistance, incident responders canparticipating nationally significantand High-altitude Activities Act 2017provide the forensic support andorganisations. These services(OSHAA), and the Overseas Investmentexpertise required to identify whetherare tailored to meet the network(Urgent Measures) Amendment Actpersonal information has likely beenconfiguration and risk profile of each2020 (OIAA). Under OSHAA, NCSCleaked or stolen, and to what extent.organisation. The NCSC’s defencesand GCSB assist NZSIS and otherThis helps organisations understandaim to keep customers ahead ofagencies in assessing space andthe potential harm a breach couldsophisticated, advanced persistenthigh altitude activities for nationalcause and advise those affected.threats. If malicious cyber activitynetworks.security risks. In the 2020/21 year, theis detected on one customer’sGCSB conducted 29 assessments ofnetwork, the NCSC can derive threatregulated space activities. The GCSB’sgrowing regulatory role also includessupporting the NZSIS to provide adviceto the Overseas Investment Officeabout any national security risksassociated with proposed overseasinvestment; in 2020/21 the NCSCconducted 69 assessments underthe emergency notifications regimeof the OIAA.Personal Information isinformation about an identifiableindividual. The purpose of thePrivacy Act 2020 is to promoteand protect individual privacy.information from the incident anduse it to mitigate the threat to othercustomers. The principle of sharinginformation to strengthen everyone’sdefences underpins the NCSC’snext major initiative: Malware FreeNetworks.

CYBER THREAT REPORT 2020/2021Malware FreeNetworksIncident responseservicesMalware Free Networks (MFN) is aWhen an incident does happen, themalware detection and disruptionNCSC’s 24/7 incident coordination andcapability that will empower the NCSCresponse team assists organisationsto scale up our network protectionto respond and recover. The teamservices and block malicious cybercan draw on all the NCSC’s resourcesactivity before it affects Aotearoato support and coordinate responseNew Zealand organisations. The goalefforts. If necessary, the NCSC’sis to disrupt sophisticated maliciousincident responders are deployedcyber activity as early as possible,on-site, working side-by-side withfor as many networks as possible.victim organisations and their serviceThrough MFN, the NCSC generatesproviders as they recover. Theand shares cyber threat intelligenceNCSC provides forensic analysis andwith participating organisations.investigation capabilities to map theCustomers can receive the MFN threatpathways a malicious cyber actor hasintelligence feed via MFN partners,taken, and evaluate the extent andsuch as internet or managed serviceimpact of an intrusion. The NCSC canproviders.also provide advice and guidanceIn 2019/2020, the NCSC successfullycommenced the initial rollout of thelive service, which has been operatingfor a small number of consentingNCSC customers since August 2020. ByJuly 2021, MFN had already disruptedover 2000 malicious indicators beforethey had the chance to cause harm.The NCSC aims to scale the availabilityof MFN through growing partnerships;the intention is to partner withindustry organisations – from largetelecommunication providers, to midsized managed service providers andsmall technology integrators – to makethe MFN service available to as manyorganisations as possible. The NCSCanticipates MFN will grow to blockmore malicious traffic over time, andwill provide unique threat insights andintelligence in support of increaseddetection.on managing communications andkeeping stakeholders informed duringan incident.In 2020/21, the GCSB publiclydisclosed the NCSC’s involvement inthree high-profile incidents. Theseincluded assisting the Reserve Bank ofNew Zealand following a data breach,providing support to the WaikatoDistrict Health Board following aransomware incident, and advisingNZX with respect to a series ofdistributed denial of service incidentstargeting Aotearoa New Zealand’sstock exchange. All three of theseincidents were rated as C2 incidents,or highly significant, and all attractedwell-warranted public concern.Generally, to protect relationships ofconfidence and trust, the NCSC doesnot comment publicly on incidents orvictims of malicious cyber activity.A Denial of Service (DoS)incident is an attempt to makean online service unavailable byoverwhelming the service withmore traffic than it can handle.9

10CYBER THREAT REPORT 2020/2021AOTEAROA NEW ZEALAND THREAT LANDSCAPETe āhuatanga o ngātuma i AotearoaWhile major disruptive incidents like denial of service andransomware incidents dominated cyber news headlines in2020/21, Aotearoa New Zealand’s nationally significant organisationsfaced a broad range of cyber threats, including espionage andinformation theft.Aotearoa New Zealand has arelative level of wealth, high digitalinterconnectivity, and niche technologyexports. These factors contribute tothe attractiveness of Aotearoa NewZealand as a target for motivated,well-resourced malicious cyber actors.Malicious cyber actors of varying levelsof sophistication and motivation targetAotearoa New Zealand networks andcreate new and fast-moving challengesfor network defenders. The NCSC’sfocus is on assisting customersthrough early warnings, prevention,harm reduction, and prompt servicerecovery.How theNCSC definesincidents2020/21 NCSCincidentsIn the 2020/21 year, the NCSCrecorded 404 cyber incidents.Because of the NCSC’s focus ondefending nationally significantorganisations, this number representsa small but impactful portion of allcyber security incidents affectingAotearoa New Zealand.these organisations. Some aregenerated through reports orrequests for assistance received fromvictims;

deter, detect, and disrupt, the types of malicious cyber activity that could affect the country's national security or economic wellbeing. The NCSC's annual Cyber Threat Report focuses on our analysis of incidents we have prevented, detected, or disrupted. It draws on and informs the wider functions and objectives