New Zealand’s Treasury office said it had been “deliberately and systematically hacked,” with evidence showing more than 2,000 hacking attempts recorded over a 48-hour period from Sunday through Tuesday.
On Tuesday, the National Party – a center-right political party in New Zealand that’s also known as the Nats or National – published what it said were secret budget details. They were the same parts of the budget that were affected by the hacking attempts.
National leader Simon Bridges refused to say how National got its hands on the budget details two days before they were due to be published, though he said it was legitimate and rejected any implications that National got at the leaked documents via hacking.
The BBC quoted Bridges:
There has been no hacking under any definition of that word. There has been entirely appropriate behavior from the National Party the whole way through. There has been nothing illegal or even approaching that.
[The government is] not in control of what they are doing, so they are lashing out and they are having a witch-hunt.
According to the Guardian, Finance minister Grant Robertson said he had contacted National to ask that it stop releasing any more budget documents, given that they could have been sourced from the hack.
Bridges called for Robertson to resign.
Treasury Secretary Gabriel Makhlouf said that the attacks have been referred to the police. The Treasury doesn’t know, at this point, whether the attacks came from inside or outside of the country, he said.
One heck of a hot-potato budget
This is no normal budget. It’s the nation’s, and what its proponent say is the world’s first so-called “wellbeing” budget. The controversial budget prioritizes mental health, domestic violence and child poverty in its spending decisions, being guided not only by traditional cost-benefit fiscal and economic analysis but also by a range of indicators measuring everything from loneliness to water quality.
Critics contend that the government might not have enough spending power to fund this approach, with debt currently forecast at 21% of gross domestic product, as Reuters reports.
In short, there’s been a lot of buzz about this particular budget, and it’s not entirely surprising that hackers want to get at it.
Why didn’t anybody notice?
A reporter at RNZ asked Makhlouf how it came to be that over 2,000 attacks, coming one after another in sub-second intervals, could go undetected for 48 hours?
You don’t have anybody who was monitoring the website? There was no way of it essentially flagging that this specific area was under attack?
You had no safeguards in place? …specifically around the budget to be released tomorrow?
He replied that the Treasury does penetration testing that works quite well, but he didn’t address what appears to be a lack of ongoing monitoring. Makhlouf said that the 2,000 hacks had eventually succeeded in exploiting a weakness in the system, though he didn’t give details.
When asked how the Treasury was going to bolster the security on its systems, Makhlouf said that some people who previously had access to the data no longer do – a situation that’s causing some inconvenience for those responsible for publishing the budget, he said.
He said there’s no evidence that the leak might have come from a rogue employee or other type of internal actor, as opposed to a remote attack, and declined to speculate on how National could have gotten the budget details if not by hacking. Makhlouf also said that the breach was definitely not caused by incompetence – as in, nobody accidentally posted the budget details online.
…perhaps because it wasn’t a hack
On Thursday 30 May, the Treasury released a statement saying that the police had already closed the investigation because it wasn’t a hack at all:
Following Tuesday’s referral, the Police have advised the Treasury that, on the available information, an unknown person or persons appear to have exploited a feature in the website search tool but that this does not appear to be unlawful. They are therefore not planning further action.
The statement goes on to explain that the government had prepared a “clone” of the live website that wasn’t public (a staging website in the vernacular) that contained budget data. The clone would have replaced the live site on the day the budget was released.
The treasury maintains that even if no law was broken, something fishy was going on:
The evidence shows deliberate, systematic and persistent searching of a website that was clearly not intended to be public. Evidence was found of searches that were clearly intended to produce results that would disclose embargoed Budget information.
It remains to be seen if this was an “inside job” – the Treasury statement says it has identified three IP addresses involved in the incident and that one of them belongs to the Parliamentary Service.
Whether it was or not, it’s a useful reminder that development and staging versions of websites, and other websites that aren’t supposed to be public, are a favourite target for hackers because their security is so often overlooked.
2 comments on “New Zealand’s “hacked” budget was found on a website”
Bridges continued to have his fun, bellowing his way through Question Time and drip feeding more details in two more press releases throughout the day.
On Treasury’s website, his aides had simply entered 2019/2020 into the search engine. It gave them access to a treasure trove of supposedly secret, and potentially market-sensitive, information.
The problem with statements such as “we had 2000 hacking attempts since Sunday” is that they are essentially meaningless without context and technical clarity. You simply don’t know who’s counting, or what they are counting, or how, or (for that matter) why. For example, are you counting an
nmapscan that tries 1000 different TCP ports and 1000 UDP ports as zero, one, two, 1000 or 2000 “hacking attempts”?
So when someone blindly talks about “we were hacked N times this weekend” it’s a bit like saying “the company turnover last week was just over one million”, without saying which currencies were in the mix. If it was earned in a mixture of $, € and £ then the numbers you’re adding together are at least vaguely commensurate. But if you earned £50 plus 999,950 Rupiah then your “million” is only worth about 100 units when you convert to GBP. Or it swells to two million if you denominate in IDR instead.