Niwa super computer attacked from Chinese internet address, PM confirms

Prime Minister John Key trod delicately around the risk of a diplomatic and trade row following revelations of a cyber attack on the government’s National Institute of Water and Atmospheric Research (Niwa).

The IP (internet protocol) address identified as the source of the attack was in China but that did not mean it originated from there, the PM told his weekly post-cabinet press conference.

“I would be very wary of attributing it to any country,” he says.

The IP address identified for the Niwa attack was in China but that does not mean it originated there, the PM says.

“It is very very difficult to know where these come from … they often hide their identity through an IP address they used and sometimes it might look as though it comes from a particular country but they might just be the host.

“The IP address on this particular case was China although that does not mean at all it is from a Chinese entity.”

Last week the US Federal Bureau of Investigation indicted Chinese citizens (three army officers and two civilians) on charges relating to cyber espionage aimed at numerous American firms and unions and said numerous cyber attacks had been linked to members of Chinese Peoples Liberation Army. The indictment itself is seen as Quixotic (there is almost zero chance China will extradite the men to face charges), but is seen by most commentators as a warning shot, and an attempt embarrass China into changing its (alleged) pattern of attacks.

However, Mr Key says there is no evidence the NIWA attacks came from China.

The number of cyber attacks on New Zealand have nearly doubled in the last year, he says — from 134 in 2012 to 219 last year.

But these come “from a wide range of sources” and most  - around 70% - are aimed at private businesses and not government institutions.

“We think there are a number of entities making quite sophisticated and robust attempts to get into large private sector entities here.”

Reasons include industrial espionage, seeking intellectual property, information on business practices and plans, and so forth.

“In some of the other attacks we have seen here there is a number of obvious reasons [for the attacks].

“But this one ... it is not at all clear.”

"Unsuccessful"
Meanwhile, Niwa now describes the overnight Thursday attack as "unsuccessful".

It says the $12.7 million Fitzroy supercomputer was taken offline. The Crown-owned company immediately undertook a series of tests with the assistance of Fitzroy's maker, IBM.

"After taking a number of mitigation steps, the supercomputer was back online on Saturday evening with all normal services resumed," Niwa says.

"The National Cyber Security Centre [a division of the GCSB] has been kept fully informed throughout the process."

The supercomputer is used to run scientific models and services and no sensitive personal or client information is stored on it, Niwa says.

Possible Chinese motives
On Saturday, security expert Dr Paul Buchanan — a former policy analyst for the US Secretary of Defence advising the Pentagon — told NBR the attack followed the Chinese pattern of cyber trawling.

Dr Buchanan say a number of possible motivations for attacking the non-obvious target of a weather modelling computer.

One was that a cyber-attacker was looking for a back door or weak link, if Fitzroy is connected to other government computers. The Five Eyes Network (which the US, UK, Canada, Australia and NZ use to collect and share intelligence) could have been the ultimate target.

"They also might be interested in the location of weather buoys or accessing the links to weather satellites, both of which can be used for non weather related purposes," the Auckland-based security analyst said.

Daniel Ayers, a one-time Ernst & Young computer forensic expert and fraud investigator now private company Special Tactics, saw another angle.

"Super computers produced by US companies are subject to ITAR (International Traffic in Arms Regulations). They are considered to be weapons and are therefore subject to strict export controls and rules of operation.  This is because of their immense processing power — in particular this could be used to mount a brute force attack on encryption," he told NBR over the weekend.

"Owners, including owners in NZ, are required to security check any person given access to the supercomputer. Such is the sensitivity surrounding them — driven by the state of manufacture, the USA."

There are super computers in New Zealand that are used for weather forecasting, academic research and digital special effects for movies, Mr Ayers notes.

"Because of their unique capabilities any compromise of a supercomputer could be about gaining access to the resources of the machine rather than stealing information.

"The culprit in this case might have been seeking to establish a ‘botnet’ of super computers to solve a particularly difficult problem — possibly cryptographic. Or they might have suspected that the machine had covert classified uses, and it may do."