The National Cyber Security Centre’s (NCSC) annual Cyber Threat Report states a record-high 28% of incidents as likely criminal or financially motivated.
Financially motivated activity represents a higher proportion than state-sponsored activity, which made up only 23% this financial year, in comparison to 34% in the 2021/2022 year.
We see ransomware activity imposing significant costs and requiring substantial recovery efforts for organisations in New Zealand and around the world.
Lisa Fong, Deputy Director-General GCSB, responsible for the NCSC, says the growing availability of effective malicious cyber tools, compromised credentials, and vulnerabilities in public-facing infrastructure has made it easier for malicious cyber actors to work at scale, and with the sophistication required to cause national-level harm.
“Domestically, and internationally, the NCSC has seen heightened determination from cyber criminal actors attempting to extort payment from organisations,” says Ms Fong.
Ransomware and extortion activity continue to comprise a significant portion of the confirmed criminal activity the NCSC observes.
“The number of ransomware incidents recorded by the NCSC has remained relatively consistent over the last three years, but the impact to Aotearoa New Zealand has almost certainly increased. On average, the NCSC recorded more than one ransomware incident per month in the fiscal year, and half of these incidents were categorised as C3 (indicating a significant incident),” says Ms Fong.
This financial year, the NCSC reported 316 incidents affecting nationally significant organisations compared to 350 the previous year.
“This difference may reflect a number of contributing factors, including recent disruptions to cyber criminal infrastructure; changing priorities or tactics of states; organisational cyber resilience and maturity; or our increasing ability to disrupt activity before harm takes place,” Ms Fong says.
Despite a drop in the total number of incidents recorded by the NCSC, the number of incidents detected by NCSC capabilities grew year-on-year.
“Viewed over the last four fiscal years, the number of incidents detected by NCSC capabilities accounts for about a third of our total recorded incidents,” says Ms Fong.
MFN is the NCSC’s threat detection and disruption service and during the 2022/2023 year, its coverage expanded by adding new partners.
Ms Fong says that a key milestone for the NCSC this year was the delivery of MFN to a major telecommunications service provider’s domestic customer base.
“Developments in the NCSC’s cyber defensive capabilities have allowed us to scale some services to a significant number of organisations, and even to protect individual home users.
“These increasing and deepening partnerships mean the NCSC is offering unprecedented threat protection, with millions of New Zealanders now benefitting from MFN,” says Ms Fong.
A typical month this year saw the NCSC’s MFN service disrupting 20,800 connections to known malicious infrastructure. Additionally, on average the NCSC detected seven cyber incidents per month and received 20 reports or requests for assistance.
“We are really proud of the increasing cyber defence impact occurring across Aotearoa New Zealand due to our MFN service.”
Overall, the detection, disruption, advisory and threat intelligence services the NCSC provides prevented an estimated $65.4 million of harm to Aotearoa New Zealand’s nationally significant organisations in the 2022/2023 year.
The significant amount of harm prevented by NCSC’s services and this year’s increase in financially motivated malicious cyber actors reinforces the need for nationally significant organisations to have good cyber security.
Our Cyber Threat Report outlines a number of recurring tactics have been used effectively in high-impact incidents and provides mitigations to prevent these.
“Looking ahead to 2024, it is important for Aotearoa New Zealand organisations to embed good processes – both in technical controls and in cyber security governance.
“For the NCSC, the coming year will continue to be one of growth and change. As part of this process, we welcome our partners at CERT NZ as colleagues. Our collective strengths will combine to create an even more effective operational agency, ready to respond to the growing cyber security threat faced by people and businesses in Aotearoa New Zealand,” Ms Fong says.
Read the full report online here: 2022/2023 Cyber Threat Report
Note: To help understand the impact of a cyber incident, the NCSC triages incidents into categories, which consider the size of the organisation impacted and the severity of the compromise. A national cyber emergency (C1) is a cyber incident causing severe disruption to a core Aotearoa New Zealand service, whereas a minor incident (C6) is a cyber incident causing a known or likely impact to individuals or a small to medium enterprise.
About the NCSC
The National Cyber Security Centre (NCSC) is a part of the Government Communications Security Bureau (GCSB). The NCSC deters, detects, disrupts, and provides advice about the types of malicious cyber activity that could affect Aotearoa New Zealand’s wellbeing or prosperity.
The NCSC operates the GCSB’s cyber defence capabilities and leads cyber security engagement with New Zealand’s organisations of national significance to protect their information systems from high-impact and advanced cyber-borne threats. The NCSC is the lead organisation for responding to cyber threats that could have an impact on national security and wellbeing.
Earlier this year, the Government announced their decision to integrate CERT NZ with the NCSC, to create a lead operational cyber security agency for New Zealand. This creates a similar cyber security agency structure to those operated by Australia, the UK and Canada – single agencies with a wide span of responsibilities and customers.
We are working to implement this decision to provide a stronger cyber security system and improved customer service for New Zealanders.
CERT NZ was established in 2017 as cyber security agency for government, to support a broad range of businesses, organisations and individuals who are or may be affected by cyber security incidents. CERT NZ provides information and advice, collates a profile of the threat landscape in New Zealand and offers incident response support to those that need it.
Media contact: media@nzic.govt.nz