After a new threat group claiming to be Fancy Bear and the Armada Collective used a DDoS attack to take down the New Zealand stock exchange, security experts say millions of dollars in infrastructure investment make it unlikely that major stock exchanges in New York, London or Hong Kong would suffer a similar take down, though the New Zealand attack could portend a larger attack.

Not only have those high-end exchanges have invested in infrastructure, “they don’t run their trading applications on the public Internet,” said Barrett Lyon, CEO of Netography.

“There’s very little chance a high-frequency trading platform in New York would sustain a DDoS attack, the network is too segmented,” he said. “I still don’t understand why the New Zealand exchange’s trading app got hit, it should be segmented from the public internet.”

“It’s very hard to attack the top exchanges and most hackers go for the low-hanging fruit, said Stephen Manley, chief technologist at Druva.

“Hackers are like salespeople, they go for what they can sell,” Manley said. “If this group attacks again they will probably go after schools, hospitals, state and local governments and mid-sized financial exchanges and companies.”

While most security experts were skeptical this group could launch a successful attack on a major exchange, there were security experts who thought the attack on the New Zealand exchange could be the start of much larger attacks.

“This may be a rehearsal of a major attack targeting NASDAQ or the London Stock Exchange amid the craziness going on the global stock markets,” said Ilia Kolochenko, founder and CEO of ImmuniWeb “I don’t think that major cyber gangs have their own interest in, or were hired by someone to conduct a DDoS capable of repeatedly shutting down the New Zealand exchange. But even a daily outage of NYSE can lead to multibillion losses around the globe, and probably even some bankruptcies and countless lawsuits.”

Kolochenko added that DDoS attacks are hard to investigate, and most of their authors enjoy skyrocketing profits. He said during the pandemic, the average price of bots used for DDoS has fallen, and will probably become even more affordable.

In fact, Druva’s Manley said the attack on the New Zealand exchange took about 50,000 device bots at a total cost of roughly $1,500. “People can buy these attacks as-a-service these days,” so for a minimal investment the return can be very high.

Brandon Hoffman, CISO at Netenrich, added that if this is truly an up and coming group trying to make a name, it's likely they will strike again -- and soon – before their attack methods are defeated.

“Considering this was successful, it makes sense for them to target higher-profile exchanges,” Hoffmans said. “If we had more information on the who or why, it certainly would be easier to predict subsequent targets. At this point, I don’t have enough information on the group behind it.” 

The group’s activities first were made public in the past week when Akamai detailed them in a blog post. Akamai suspects the extortion demands originate from copycats using the reputation of known attack groups as a means of intimidation to expedite payment.

In the extortion demands by the Armada Collective seen by Akamai, the ransom starts at five bitcoin ($56,528) and increases to 10 bitcoin if they miss the deadline, with a five bitcoin increase for each day thereafter. Fancy Bear starts at 20 bitcoin and increases to 30 bitcoin if the victim misses the deadline, with an additional 10 bitcoin for each additional day.

As of this morning, no official organization has confirmed the motive was, how much money was lost or if the group Akamai wrote about was actually the group that took down the New Zealand exchange. It’s also been reported the group attacked Venmo, PayPal and Worldpay, among others.

“There’s no question that a lot of the financial and telemedicine start-ups are vulnerable,” Netography’s Lyon said. “The whole situation with work-from-home due to COVID-19 has changed our concept of the perimeter, so it’s conceivable that DDoS attackers could also target companies at the corporate VPN aggregation point. Especially for companies with legacy systems, such as insurance companies, if the hackers hit the VPNs their employees can’t work anymore.”