Member log in

Niwa super computer attacked from Chinese internet address, PM confirms

Prime Minister John Key trod delicately around the risk of a diplomatic and trade row following revelations of a cyber attack on the government’s National Institute of Water and Atmospheric Research (Niwa).

The IP (internet protocol) address identified as the source of the attack was in China but that did not mean it originated from there, the PM told his weekly post-cabinet press conference.

“I would be very wary of attributing it to any country,” he says.

The IP address identified for the Niwa attack was in China but that does not mean it originated there, the PM says.

“It is very very difficult to know where these come from … they often hide their identity through an IP address they used and sometimes it might look as though it comes from a particular country but they might just be the host.

“The IP address on this particular case was China although that does not mean at all it is from a Chinese entity.”

Last week the US Federal Bureau of Investigation indicted Chinese citizens (three army officers and two civilians) on charges relating to cyber espionage aimed at numerous American firms and unions and said numerous cyber attacks had been linked to members of Chinese Peoples Liberation Army. The indictment itself is seen as Quixotic (there is almost zero chance China will extradite the men to face charges), but is seen by most commentators as a warning shot, and an attempt embarrass China into changing its (alleged) pattern of attacks.

However, Mr Key says there is no evidence the NIWA attacks came from China.

The number of cyber attacks on New Zealand have nearly doubled in the last year, he says — from 134 in 2012 to 219 last year.

But these come “from a wide range of sources” and most  - around 70% - are aimed at private businesses and not government institutions.

“We think there are a number of entities making quite sophisticated and robust attempts to get into large private sector entities here.”

Reasons include industrial espionage, seeking intellectual property, information on business practices and plans, and so forth.

“In some of the other attacks we have seen here there is a number of obvious reasons [for the attacks].

“But this one ... it is not at all clear.”

Meanwhile, Niwa now describes the overnight Thursday attack as "unsuccessful".

It says the $12.7 million Fitzroy supercomputer was taken offline. The Crown-owned company immediately undertook a series of tests with the assistance of Fitzroy's maker, IBM.

"After taking a number of mitigation steps, the supercomputer was back online on Saturday evening with all normal services resumed," Niwa says.

"The National Cyber Security Centre [a division of the GCSB] has been kept fully informed throughout the process."

The supercomputer is used to run scientific models and services and no sensitive personal or client information is stored on it, Niwa says.

Possible Chinese motives
On Saturday, security expert Dr Paul Buchanan — a former policy analyst for the US Secretary of Defence advising the Pentagon — told NBR the attack followed the Chinese pattern of cyber trawling.

Dr Buchanan say a number of possible motivations for attacking the non-obvious target of a weather modelling computer.

One was that a cyber-attacker was looking for a back door or weak link, if Fitzroy is connected to other government computers. The Five Eyes Network (which the US, UK, Canada, Australia and NZ use to collect and share intelligence) could have been the ultimate target.

"They also might be interested in the location of weather buoys or accessing the links to weather satellites, both of which can be used for non weather related purposes," the Auckland-based security analyst said.

Daniel Ayers, a one-time Ernst & Young computer forensic expert and fraud investigator now private company Special Tactics, saw another angle.

"Super computers produced by US companies are subject to ITAR (International Traffic in Arms Regulations). They are considered to be weapons and are therefore subject to strict export controls and rules of operation.  This is because of their immense processing power — in particular this could be used to mount a brute force attack on encryption," he told NBR over the weekend.

"Owners, including owners in NZ, are required to security check any person given access to the supercomputer. Such is the sensitivity surrounding them — driven by the state of manufacture, the USA."

There are super computers in New Zealand that are used for weather forecasting, academic research and digital special effects for movies, Mr Ayers notes.

"Because of their unique capabilities any compromise of a supercomputer could be about gaining access to the resources of the machine rather than stealing information.

"The culprit in this case might have been seeking to establish a ‘botnet’ of super computers to solve a particularly difficult problem — possibly cryptographic. Or they might have suspected that the machine had covert classified uses, and it may do."

More by Rob Hosking and Chris Keall

Comments and questions

The US Department of Justice has set the benchmark for dealing with this kind of thing. Let's see if the Key government behaves any differently than a Dotcom or Labour government.

Is this what it takes to ban Huawei from New Zealand?

Get used to it as trade increases with China. Sometimes its deplorable how politicians cannot see the consequences and love to shot the messenger if the reality is contrary to their policy pursuit. Its like someone blinded by the light. And JK certainly is. Or is it the focus on the necessity to find economic growth no matter what while debt controls decisions.

OK, so the Chinese want to know how it is possible for a tax payer funded outfit who can't predict an El Nino or La Nina event even 1 year out to get billions in taxpayer funding? Nothing silly about that surely?

Any hacker worth their salt is going to bounce around as many hacked computers in different countries as they can before making their attack. They do this to hide their tracks.
The hacker could come from Russia,Iran,Israel or anywhere.
If the hacker really was from China and was a pro I would have thought they would have chosen a computer outside China as their final jump off point so that China would not get the blame.

Where do they get their "cyber attack" numbers? I'm not aware of any formal reporting programme... Is that just gov't computing facilities managed by gov't? Gov't apps managed by 3rd parties? In NZ only? Outside NZ? Does it include attacks on non-governmental commercial entities, too? So called "cyber attacks" is such a nebulous thing that trying to quantify it with those kinds of precise (and incredibly low) numbers is facile... perhaps the article can explain what constitutes a cyber attack, and within what population.

Not so sure these operators are so subtle as is claimed here. The US Govt has identified a group of Chinese hackers employed by the state to infiltrate American company computers and extract commercial secrets. These guys work 9am to 5pm. They have even been identified.

Why does Key's stick his head in the sand every time something comes up about China? His actions are farcical.

For the same reason that he sticks his head in the sand whenever someone mentions pollution in the context of the dairy industry.
He hopes that it will all just go away.

It really is a shame that he cannot admit that there are viable alternatives to the Fonterra debacle.
But that might involve publicly acknowledging that we, as a country,
are actually in a tight corner , economically speaking. And we therefore cannot afford to invest for a better future, or even risk changing direction ever so slightly.

The important thing is to stay off the ropes.

He might be right; we could be on a knife edge.

Just when does this much-touted strategy to double the value of NZ's exports, by adding value (one presumes), start to kick in?

Anyone seen it ? Does it even exist?