DDoS Attack Knocks Out Hong Kong Stock Exchange News Website

Trading on the Hong Kong stock exchange remained suspended for a handful of stocks as a result of a distributed denial-of-service attack on its news Website, the Financial Times reported.

The "coordinated and sustained" DDoS attacks continued for a second day on one of the exchange's Websites which is used to disseminate price-sensitive information, FT said Aug. 11.

The hkexnews.hk site, where Hong Kong-listed companies such as HSBC bank, China Power International and Cathay Pacific airline posted their announcements in order to comply with disclosure requirements, went offline Aug. 10 and remained under sustained attack, Charles Li, CEO of Hong Kong Exchanges and Clearing told FT.

The identity and intention of the attackers remained unknown, Li said. The denial-of-service attacks were coming from a large botnet made up of PCs from around the world, the majority of which were based outside of Hong Kong, according to HKEx.

"Our current assessment that this is a result of a malicious attack by outside hacking," said Li.

While some DDoS attacks are out to just knock Websites offline, many attacks are a diversion for other malicious activity, Neal Quinn, vice-president of operations at cloud-based DDoS mitigation provider Prolexic, told eWEEK. While he didn't have specific knowledge on the details of the attack on the Hong Kong exchange, Quinn said many attackers often breach networks while the security team is busy dealing with the "present" DDoS threat.

"Mission-critical" systems actually used for trading, clearing and distributing market data were unaffected because they were not accessible from the public Internet. "HKEx’s other systems are not affected and trading in its securities and derivatives markets continues to operate normally," according to an HKEx statement.

HKEx said it had been “working closely with local and overseas security experts” to investigate the cause of the attack and restore normal service. The exchange successfully implemented a mechanism to filter out the malicious packets late Aug. 10, which allowed the news site to come back online even while under attack.

Attackers were using multiple attack vectors, which made it harder for the exchange to defend against the DDoS, HKEx said. There are several ways to launch a DDoS attack, including flooding the network with SYN or ICMP packets, attacking the application layer by sending so many database or Web requests to the site that it can't process them all, and sending malformed packets, among others, Quinn said. Most DDoS attacks are a combination of techniques in a "blended attack," Quinn said.

Seven stocks were suspended from trading after the news Website crashed the first time, shortly before the companies were to post "sensitive results" from the morning trading session. The exchange defended the suspension because to continue trading would be unfair to investors who could not access the companies' results while the news site was down.

To prepare for future attacks, the Hong Kong exchange would abandon the practice of publishing company news on a centralized Website, Li said. It would rely on media and commercial information vendors such as Thomson Reuters and Bloomberg to distribute company announcements and instruct investors to get the information directly from the company Websites, according to Li. The exchange plans to buy advertisements in eight local newspapers with a list of companies expected to post news that day so investors will know they have to check the company Websites for details.

"It was refreshing to see Mr. Li not blame the attacks on uber-sophisticated, foreign advanced ninja hackers, but rather state the facts and explain what the exchange is doing to ensure the integrity of the market," Chester Wisniewski, a senior security advisor at Sophos, wrote on the Naked Security blog.

Researchers have long warned that attackers can potentially disrupt financial systems by attacking stock exchanges. The Zimbabwe stock exchange was attacked in early August. The United States' Nasdaq revealed in February that cyber-criminals had embedded malicious code on the "Directors Desk" Web application.

James Arlen, an independent security researcher, discussed at the recent Black Hat conference how attacks on high-frequency trading systems would occur too quickly for exchanges to defend against.