Chilling find
Hunt for the Ruapehu hacker
It was a nuisance-value incident compared with the rolling cyberattacks on the NZX that occurred at the same time.
But the people who tried to disrupt Mt Ruapehu’s online parking system this month may find they’ve messed with the wrong man.
Police production orders are pending which, once served on the alleged hackers’ internet service providers, are expected to confirm the identity of three offenders — expected to be annoyed middle-class skiers rather than agents of the Chinese state or Ukrainian cyber crimelords.
The saga began in July, as the new ski season began.
Ruapehu Alpine Lifts, which operates the Whakapapa and Tu¯roa skifields, introduced a new online car park booking system.
You book via a website, then the system scans and recognises your licence plate as your vehicle arrives.
Chief executive Jono Dean said the new parking system aimed to put an end to those frustrating queues and being turned around at the last minute.
Any change was always going to be contentious, given growing competition for spaces over recent years, but with Covid restrictions causing additional stress, there were always going to grumbles. On Reddit, various punters thought either season-pass holders should be favoured, or were keen on the previous Darwinian system of first-in, first-served.
Then, on September 2, anger was turned on the Ruapehu parking system, with what RNZ described as “a deliberate attack” that took the system offline for several minutes.
The parking system was developed by Auckland company Theta, whose head of cyber security, Jeremy Jones, said there were a series of attempts to game or disable the parking system.
“There’s a small cross-section of society who are avid skiers, and also work in IT, who were, shall we say, abusing their knowledge of technology to gain an unfair advantage,” Jones told the Weekend Herald.
“In one case, they actually took the system down for a couple of minutes, because they were just hammering the website to try and block-book car parks. Whatever motivated them — whether they were trying to do it just to book a car park or whether they were trying to do it to discredit the application by taking it offline, because they object to restrictions, remains to be seen.”
One person who was “abusing the application” was doing so from an IP address that indicated they worked for an IT company in Wellington; another was from an Auckland IT company; and another from a residential address in Auckland.
Jones — a Canterbury University engineering grad who spent 16 years working for the UK Ministry of Defence, including being charged with the defence of a Nato data centre — says he knows the names of the companies concerned but does not want to name them at this point. He says that would spoil the police’s party.
Asked about the production orders apparently soon to be served on the offenders’ ISPs, a police spokeswoman declined comment, citing “operational reasons”.
There’s a small crosssection of society who are avid skiers, and also work in IT, who were, shall we say, abusing their knowledge of technology to gain an unfair advantage. Jeremy Jones, head of security, Theta