Book a Meeting
What happened to NZ Post’s online services on Thursday
keyboard_backspace Back
28 Sep 2021

Planned Outage from NZ Post and Ongoing Cyber Attacks on ANZ Cause Disruption

What happened to ANZ and Kiwibank in the September 2021 DDoS attack?

Over 650 ANZ customers experienced problems accessing their online banking during a fifteen-minute period, while on Wednesday the website monitoring service Down Detector peaked at more than 1000 in a 15-minute period. It wasn’t just ANZ and NZ Post that suffered at the hands of Wednesday’s attacks, a range of others also appeared to be affected including Kiwibank.

Cert NZ, a cyber-security agency, commented that it was aware of disruptions occurring but that they wanted to reassure the public that they were working hard with those affected as well as sector partners to monitor the situation and understand its cause in order to support recovery efforts. Their spokesperson went on to state that no further organizations reported attacks to them.

Some ANZ customers maintained that they were worried that they were still unable to access their accounts periodically the day after the attacks were supposedly over.  

Spokesman Stefan Herrick was aware of some problems and encouraged and customers who were having trouble “to try again later. Our support teams are continuing to work hard to improve access. We apologise for any inconvenience this has caused and thank customers for their patience.”

September 2021 DDoS Attacks Affect ANZ and Kiwibank Customers

All major IT systems belonging to NZ Post were part of a planned outage in an apparent attempt to combat a recent spate of “denial of service attacks” on New Zealand businesses. The planned outage meant that NZ Post customers were unable to book pickups, print posting labels, check or validate addresses, or track items during the short outage.

The outage was needed due to “issues at one of [NZ Post’s] third-party IT suppliers” some of which caused intermittent website disruptions for end users on Wednesday. However, a spokeswoman declined to comment on whether or not these issues were directly linked to the denial-of-service issues that caused problems for a wide range of New Zealand businesses including ANZ.

What is a DDOS or Denial of Service attack?

DDoS stands for distributed denial of service and are often referred to simply as denial-of-service attacks due to that being the main effect of the attack. The attack itself involves hackers hijacking or hiring high numbers of computers to send spam requests to the target website. This wave of traffic results in overloading and crashing the online service belonging to the target business or organisation. By sending this huge amount of spam traffic to the internet-facing systems of these organisations the servers cannot cope and therefore legitimate website users are unable to access the site.

DDoS attacks are considered to be less malicious than other forms of cyber attack because they do not involve the hacking of the organization – which means there is no risk to banking customers losing money or information – but they should not be underestimated.

The main method of defending against DDoS attacks is to block the fake traffic in order to force the attackers to change their approach but this doesn’t always work for very long. Larger organizations have tools to identify the sources of the spam traffic and block them. Often, when the attacks are identified and blocked, the attackers automatically pivot to use a different route and the attack continues.

DDoS attacks are particularly hard to trace as they often utilize malware infected computers that could be anywhere in the world. Furthermore, the traffic is often routed through networks and servers owned by multiple legitimate businesses.

There have been occasions where attackers have demanded a ransom to cease the attack, though these are believed to be rarely paid. Even if a ransom is demanded during one, DDoS attacks are different from ransomware attacks. Ransomware attacks involve the installation of malware that seizes control of the system and either refuses entry to the system to its owners or threatens the security of the information held there until a ransom is paid. Whereas, as previously discussed, DDoS attacks do not involve any hacking or risks to user security.

What is the history of DDoS attacks?

Despite both offence and defence sides developing their tactics, DDoS attacks are nothing new. For decades DDoS has been used to cause civil disruptions, articulate protests, and demand action. Now, however, DDoS attacks are usually motivated by profit or blackmail.

Below is a short list of DDoS attacks that have affected New Zealanders.

September 2021: Vocus, New Zealand’s third largest internet provider, attempted to help one of their customers defend a DDoS attack but the attempt backfired causing outages for Slingshot, Orcon and Stuff Fibre and wholesale customer Sky Broadband.

September 2020: The NZX experienced a series of DDoS attacks which caused their entire website to be taken offline. The decision to suspend share trading during the initial attack was reversed after a policy change despite the fact NZX’s website is used to distribute price-sensitive market announcements.

2012: following Kim Dotcom's arrest in New Zealand, hacking group Anonymous showed their displeasure by launching a DDoS attack against United States FBI and Justice Department, and recording label Universal Music Group United States FBI and Justice Department, and recording label Universal Music Group.

Some famous DDoS attacks include:

Historically, the 2007 attack where Estonia was largely taken offline during a tense period with Russia is one of the best-known DDoS attacks because it affected an entire country’s internet presence.

In February of 2020, Amazon reported that its AWS Shield service prevented the largest DDoS attack ever recorded. The attack stopped was reported to be a 2.3 Tbps (Terabits per second) attack.

The previous largest attack ever was that of 2018’s GitHub attack which measured at 1.3 Tbps. This equates to approximately 126.9 million packets of data each second being sent to its servers.

The BBC sites and its iPlayer on-demand services were offline for around three hours in 2015 when a group called “New World Hacking” overwhelmed it in a DDoS attack.

Banks have always been a favoured target of DDoS attacks due to the public reaction to the news that their banks have been “hacked”. In September and October of 2012, a group launched a series of DDoS attacks against US banks including Bank of America/JP Morgan and Chase/US Bancorp/Citigroup/PNC Bank - allegedly due to a controversial film trailer on YouTube.

Contact US Now