May 29, 2025
Mass ram raid on Aussie super funds
In early April 2025, coordinated cybercrime attacks were launched against superannuation funds in Australia. Superannuation providers reportedly affected included Hostplus, REST, AustralianSuper, Australian Retirement Trust, MLC Expand, and Cbus. It was thought that advanced artificial intelligence (AI) and “bot as a service” (bot) platforms were employed in the attacks, which involved bogus lump sum withdrawal requests. Most of the thousands of individual attacks failed due to superannuation providers picking up on suspicious spikes in withdrawal attempts. A few did succeed, though, gutting hundreds of thousands of dollars from four unsuspecting victims’ superannuation accounts in the process and triggering compensation payments by the affected provider. Stolen superannuation withdrawals were sent to bank accounts that did not belong to the members who were looted. The incident was stressful for the victims and costly to the provider that was tricked.
The attacks cast a spotlight on an increasing type of cybercrime risk to investors and their superannuation providers in Australia and elsewhere around the world. The particular type of attack employed is known as credential stuffing. This crime entails stealing paired username and password credentials from one source and then deploying them to gain unauthorised access to other multiple user accounts. It is as if a single housekey were able to open all the locks around the same property. This type of cybercrime can only happen where victims have used the same usernames and passwords across various accounts. These people are vulnerable if cyber criminals, having obtained the common key from one account, can use it to unlock their other accounts. It seems elementary that each account should have its own unique username and password, but apparently vast numbers of people use identical credentials right across their accounts; enough of them, indeed, to enable the credential stuffing criminal enterprise to flourish on an industrial scale.
Given the sheer size of the April mass ram raid on Australian superannuation funds, the fruits of the crime for the perpetrators were relatively modest at some A$500,000 stolen across several personal superannuation accounts. The providers as a group could be forgiven for congratulating themselves on successfully repulsing the attack. However, the incident did reveal that fund managers, not just in Australia but here in New Zealand also, need to look beyond their own internal cyber defences and consider their customer bases as a source of cybersecurity risk.
Password pilfering rife
ABC News has published reportage on cybercrime that delves into depths that the ordinary person might not suspect exist, even if it is their own laptop or smartphone that is compromised. For example, information stealer malware (infostealer) gets surreptitiously planted on personal computers after initial covert access, often via a phishing email, and secretly collects usernames, passwords, and other financially relevant information that are either used directly by the thieves for their own commercial gain or else stockpiled and commoditised as data bundles sold for profit on darknet black markets. So much information has been stolen in this way that the market prices of pilfered usernames and passwords have fallen significantly due to oversupply. Some bulk sellers of illicitly obtained credentials offer monthly subscription services and even lifetime access packages to financial criminals. Stolen information may even be given away for free as a loss leader to attract future sales. Bulk information sourced via infostealer can provide the high volumes required for the superannuation fund mass attacks in April.
In theory, it should be possible to prevent infostealer raids by installing antivirus software on personal computers and other electronic communications devices. In practice, however, many people fail to update their antivirus software and operating systems and so their computers remained compromised by previously embedded malware. Attempting to change and update passwords on such infected devices will be picked up and exploited by the infostealer. Multi-factor authentication (MFA) is not foolproof, with malware criminals offering cookies or active access tokens with stolen passwords that can bypass MFA. These additional security tools are harvested using adversary-in-the-middle (AITM) phishing kits.
Fund managers ride to the rescue
Fund managers can add to investor communications valuable information about how their customers could best protect themselves from credential theft through improved cyber hygiene. New scheme members could receive information packs on maintaining cybersecurity for their electronic communications devices where they store usernames, passwords, and other target data to help shield their investments from bad actors. Tips can include, for example, subscribing to reputable antivirus software and routinely updating this software and the operating system it applies to, and not storing sensitive information on the family computer, which is a typical route for malware entry into a household. Investor newsletters incorporating cybersecurity articles and regular reminders to change passwords and avoid using the same password across different accounts can be effective. Investors could be encouraged to change passwords by using a separate, secure device, to avoid the risk that a smartphone or personal computer is already compromised.
While this type of cybersecurity hygiene advice can be seen as fund managers acting in the best interests of their investors, it also serves the self-interest of fund managers in addressing reputational risk from adverse publicity, financial risk from paying investor compensation, and regulatory risk for breaches. It could additionally assist New Zealand-domiciled managed investment scheme (MIS) managers, including KiwiSaver managers, to evince provision of value-for-money (VfM) to their investors. In its April 2021 guidance Managed fund fees and value for money (Guidance), the FMA lists under Principle 3: Advice and service is received, not just offered the following VfM-adding activity by MIS managers:
Advice and any other service or feature that benefits the member directly [sic], because it demonstrably assists their decision making
(Guidance, p. 9)
It is reasonable to suppose that a MIS manager proactively providing its investors with useful, effective, regular, protective, and ongoing cybersecurity information about how to keep their personal computers and other electronic communications devices secure from cybercrime, and their usernames, passwords, and MIS account details safe from infostealing, would pass muster as adding VfM for scheme members.
It could also be argued that by providing such cybersecurity information to its investors, a MIS manager is contributing to its ability to comply with Condition 9. Business continuity and technology systems (Condition 9) of the Standard Conditions for managed investment scheme manager licences (Standard Conditions). Condition 9 states:
You must have and maintain a business continuity plan that is appropriate for the scale and scope of your licensed market service.
If you use any technology systems, which if disrupted would materially affect the continued provision of your market service (or any other market services licensee obligation), you must at all times ensure the operational resilience of those systems – being the preservation of confidentiality, integrity and availability of information and/or technology systems – is maintained.
You must notify us as soon as possible and, in any case, no later than 72 hours, after discovering any event that materially impacts the operational resilience of your critical technology systems, and provide details of the event and impact on your licensed market service and recipients of the service.
(Standard Conditions, p. 7)
A MIS manager’s own investor client base is a potential source of cybersecurity risk that could give rise to events that materially impact the operational resilience of the manager’s critical technology systems. It makes sense for MIS managers to do whatever it takes to make these investors part of their cybersecurity risk mitigation solutions rather than just leave them as a piece of the problem.
It should be noted that MIS managers can themselves fall victim to infostealer and AITM infiltrating their systems and their cybersecurity measures would need to take these risks into account.
Fund manager cybersecurity scrutinised post Aussie super fund hack
Whilst the superannuation fund providers who parried the April credential stuffing attacks were quick to minimise their impact, criticism subsequently emerged of lax cybersecurity found at some Australian superannuation funds. Australian media have reported on statements made by Steve Moros, senior director of cybersecurity company Proofpoint’s advanced technology group for Asia Pacific and Japan, concerning allegedly excessive cyber risk exposures of superannuation funds that an investigation conducted by his company had discovered. Proofpoint reviewed 88 APRA-regulated Australian superannuation funds via domain-based message authentication, reporting and conformance (DMARC) analysis.
DMARC is an email validation protocol that authenticates senders’ identities before permitting messages to arrive at their intended destinations. Its purpose is to thwart cyber criminals from misusing domain names for their own malign objectives. There are three progressively ascending levels of protection from suspicious emails provided by DMARC. From lowest to highest, these levels are monitor, quarantine and reject. As the strongest protection, reject is the most secure as it blocks suspicious emails from entering inboxes.
Proofpoint’s analysis took reject to be the gold standard level of protection for superannuation funds. According to its analysis, only 42% of the superannuation funds in its survey applied reject. The remaining 58% of the superannuation funds scrutinised were claimed to have inadequate cybersecurity in that they used either monitor (27%), quarantine (23%), or did not use DMARC at all (8%).
The pie chart shows the results of Proofpoint’s research:
Chart 1: Percentages of DMARC settings in Australian superannuation fund sample
It could be an interesting exercise to replicate Proofpoint’s investigation on retail managed fund and KiwiSaver schemes in New Zealand. Looking at the four categories on the chart, MIS managers should readily be able to spot which one they fit into.
According to Proofpoint’s Steve Moros:
While resource constraints are understandable, implementing robust DMARC protection isn’t optional in today’s threat landscape – it’s essential infrastructure that stands between members’ life savings, their privacy and increasingly sophisticated fraud campaigns targeting these critical financial institutions.
(Email security lapses widespread among super funds, Super Review, 1 May 2025)
The threat landscape that Steve Moros refers to has not only been rendered more dangerous by AI and bots. Another menacing feature arising is cybercrime’s commercialisation and associated division of labour, with career specialisations emerging based on superior technical ability. Traditionally, cybercrime has been an end-to-end activity, with hackers illicitly obtaining information that they then use themselves to commit further criminal activities such as demanding ransoms and credential stuffing. Nowadays the initial hacking and information theft is often carried out by specialist cybercriminals known as initial access brokers, who represent the most technically skilled of their den of thieves. These brokers then on-sell their ill-gotten gains to other less technically endowed cybercriminals who undertake ransomware and credential stuffing raids. Initial access brokers would no doubt be keenly interested in secretly acquiring highly sellable information such as usernames and passwords for managed fund investor accounts given the large amounts of money potentially at stake in the event of a cyberattack.
Not just MIS managers but also their Supervisors should pay close heed to the risks that cybercrime poses to managed funds. While the funds themselves would be the primary target of a serious attack such as credential stuffing, it should not be overlooked that their investors could also be a source of cyber security risk to these same funds when victims of infostealer intrusions into their personal electronic communications devices.
FMA makes its position clear on Condition 9
Coincidentally, in April 2025 when Australian superannuation funds were cyber attacked, the FMA published a short information sheet entitled Key takeaways from the CrowdStrike event survey (CrowdStrike Sheet). The CrowdStrike Sheet came with a reminder that implicitly included Condition 9 in its ambit:
Financial service providers that are required to notify the FMA of any event that materially impacts the information security or operational resilience of their critical technology systems must ensure such notifications are made promptly and within the timeframe required by their licence obligations.
(CrowdStrike Sheet, p. 2).
The CrowdStrike event occurred on 19 July 2024 when the cybersecurity company CrowdStrike issued a flawed security software update that affected Windows operating systems worldwide, causing multiple information technology outages. This event was a software failure caused by miscarried internal processes at the cybersecurity services provider and not a deliberate cyber-attack, and accordingly was an unintended and avoidable accident rather than an intentionally planned and malicious hostile act.
Many financial service providers (FSPs) licensed by the FMA were impacted by the CrowdStrike event, yet the regulator noted that it received very few notifications under Condition 9 or equivalent FSP licence conditions. In order to find out what happened to FSPs during and in the aftermath of the event, the FMA surveyed 66 of them for answers. These answers form the basis of the CrowdStrike Sheet.
In the survey the FMA examined CrowdStrike event impacts on the following:
As with the Proofpoint investigation conducted in Australia, the FMA’s survey threw up some matters of concern. Out of the 66 survey respondents, about 23% stated they were impacted by the CrowdStrike event, but of those respondents, around 70% did not notify the FMA, with some claiming that substantial media coverage of the CrowdStrike event at the time contributed to their decision not to undertake notification. In reality, the fact that media coverage makes a software failure widely known is not relevant to whether an FSP should notify the FMA about its own situation.
More than 70% of survey respondents reported using third-party providers to assist provision of their financial services. Of this group, roughly 10% revealed that they were unsure whether the CrowdStrike event had a material impact on outsource providers that they used. This is a disturbing result, as MIS manager licence Condition 3. Outsourcing (Condition 3) requires:
If you outsource a process/system necessary to the effective and proper running of the market service (or any other market services licensee obligation) you must be satisfied that the provider is capable of performing the service to the standard required to enable you to meet your market services licensee obligations ….
(Standard Conditions, p. 2)
The FMA surely put it mildly in remarking in the CrowdStrike Sheet that, “We encourage all financial service providers to have sufficient oversight over their third-party providers and all outsourcing arrangements” (p. 3). In practice, FSPs, including MIS managers, cannot lawfully contract out of their duties and obligations under their licences and the Financial Markets Conduct Act 2013 via arrangements made with outsource providers that are connected to their licensed businesses and are relied upon in order that FSPs can comply with their market services licensee obligations. An FSP cannot reasonably expect to get off the hook by claiming not to know that the FMA should have been notified because it was unaware that its outsource provider had experienced a material impact from an incident like the CrowdStrike event or a cyber-attack. FSPs should anticipate that at some point in time their outsource providers will in fact suffer such impacts and in advance preparation have ready in place robust communication channels from which to learn of these impacts immediately, or at the very least receive prompt confirmation that they are not material.
With respect to ability to respond to disruptive events and impact on customer bases, FSPs surveyed gave themselves high marks and the FMA consequently reached benign conclusions in relation to these self-assessments. However, the reported impact on customer bases should not be taken at face value. The CrowdStrike event was a far-reaching software glitch that FSPs could blame on the originating service provider and thereby make common cause with their customers as being fellow helpless victims. The situation would be totally different in the event of a successful cyber-attack, especially one in which ransom was demanded or investor funds were stolen, in which case an FSP so affected would be more a villain than a victim and faced directly with financial, reputational, and regulatory risk exposure consequences. Condition 9 notification to the FMA would be inevitable in such cases.
Accordingly, while the CrowdStrike Sheet is of use to FSPs and provides sound advice on best practice, the fact that it relates to a software bug and not to a cyber-attack means that at some of the purported self-confidence and future readiness reported by FSPs needs to be taken with a grain of salt. Technically proficient cybercriminals would be much harder to deal with than a transient service disruption caused by erroneous software. Supervisors should take interest in what lessons their supervised MIS manager clients have drawn from the CrowdStrike Sheet concerning their cybersecurity posture and any improvements needed thereto, particularly in the case of cyber-attack with material consequences that would lead to Condition 9 notification.
Conclusion
“Cybercrime attacks on managed funds and their investors are on the rise and becoming increasingly sophisticated in the way that they are being orchestrated,” said Matthew Band, General Manager of Trustees Corporate Supervision at Trustees Executors.
“MIS managers, including managers of KiwiSaver schemes, need to be constantly vigilant against cybercriminals, who are always quick to exploit new technological developments and opportunities for career specialisation that can be deployed against consumer savings and investments.”
“It is wise for MIS managers to take heed of the FMA’s advice provided in the CrowdStrike Sheet, but that advice also needs to be read through the lens of cyber resilience to malicious actors motivated by criminal intentions.”
“This not only includes investing in the best levels of internal cybersecurity that MIS managers can afford, but also a need to consider carefully how they are managing the cyber risks that their own investor base may unwittingly pose to their managed funds.”
“It is prudent for MIS managers to develop investor communications strategies focused on how their clients can best protect themselves from cybercrime.”
“These strategies should cover investor onboarding and subsequent regular and ad hoc communications designed to increase investor cybersecurity hygiene and literacy.”
“Acting in this way serves not only the best interests of investors and adds value to their experience of investment, but also serves the interests of the MIS managers themselves in mitigating their risks from cybercrime and non-compliance with Condition 9, and more broadly helps to build public confidence in New Zealand’s financial markets.”
“Moreover, where MIS managers are reliant upon outsource providers for compliance with their market services licensee obligations, they should take care to link up their obligations under Condition 3 with their obligations under Condition 9.”
“Supervisors should engage constructively with MIS manager clients to confirm that their cybersecurity is up to scratch and operating in conformance with Standard Conditions, and that these managers are communicating effectively with their investors in order to implement the beneficial, value-adding aims of helping to protect these consumers and their managed fund investments from cybercrime, thereby boosting overall levels of cybersecurity hygiene and literacy within the New Zealand public.”
For comment or more information, or to be added to the free email subscriber list of “The Supervisor”, please contact Matthew Band at [email protected].