NZX stock exchange DDoS attacks
A sustained volumetric DDoS campaign knocked New Zealand's stock exchange offline for parts of five consecutive trading days, halting trading because the exchange could not publish market announcements, and drawing a sharp regulatory rebuke.
- Victim
- NZX (New Zealand's Exchange)
In late August 2020, NZX, New Zealand's stock exchange, was hit by a sustained distributed denial-of-service (DDoS) campaign that disrupted trading on five consecutive days and became one of the most high-profile attacks ever against a national financial-market operator.
What happened
The first attack struck on Tuesday 25 August 2020, described by NZX as a severe offshore volumetric DDoS attack routed through the exchange's network service provider. Crucially, the attack did not disable NZX's core trading engine. Instead, it overwhelmed the exchange's public-facing infrastructure — its website and the Markets Announcement Platform used to publish price-sensitive disclosures.
Under New Zealand market rules, trading cannot continue if listed companies' material announcements cannot be released to all participants simultaneously. With its announcement platform unreachable, NZX was forced to halt cash-market trading to preserve a fair and orderly market. The pattern repeated day after day, with disruptions on 25, 26, 27, 28 and 31 August.
Response
NZX worked with its network provider and New Zealand's Government Communications Security Bureau (GCSB) and its National Cyber Security Centre to mitigate the floods, progressively rerouting traffic and deploying stronger DDoS protection. Some reports indicated the attacks were accompanied by extortion-style threats, fitting a wave of ransom-DDoS activity that targeted exchanges and financial firms globally in 2020.
Regulatory fallout
The episode triggered a joint review by the Financial Markets Authority (FMA) and the Reserve Bank of New Zealand, published in early 2021. The regulators were blunt: while many global exchanges had seen elevated DDoS activity, few had been disrupted as often or for as long. They concluded the attack was foreseeable and "should have been planned for," faulting NZX's resilience preparation and incident management, and requiring remediation of its technology and governance.
Why it matters
The NZX attacks showed that availability — not just data theft — can paralyse critical financial infrastructure, and that an exchange can be forced to stop trading even when its trading engine is untouched, simply because a peripheral disclosure system is knocked offline. The incident became a reference case for DDoS resilience at market operators worldwide and reshaped expectations that financial-market infrastructure providers must plan for sustained, repeated volumetric attacks as a foreseeable operational risk.
Timeline
A volumetric DDoS attack via NZX's network service provider forces the exchange to halt cash-market trading.
Trading is disrupted for a second consecutive day as the attacks continue from offshore.
NZX halts trading for a third straight day; the New Zealand government acknowledges involvement of the GCSB cyber-defence agency.
Further disruption hits the exchange's systems for a fourth day as mitigations are strengthened.
Trading is briefly affected again before NZX stabilises with upgraded DDoS protection.
An FMA/RBNZ review criticises NZX, finding the disruption foreseeable and its preparation inadequate.
Sources
- cnbc.comhttps://www.cnbc.com/2020/08/27/new-zealands-exchange-faced-ddos-attacks-this-week.html
- theregister.comhttps://www.theregister.com/2020/08/27/nzx_ddos_third_day/
- insurancejournal.comhttps://www.insurancejournal.com/news/international/2021/02/05/600216.htm
- bankinfosecurity.comhttps://www.bankinfosecurity.com/regulator-blasts-nzs-stock-exchange-over-ddos-meltdown-a-15881
- nzx.comhttps://www.nzx.com/announcements/358636