Channel Nine is cleaning up its systems after an alleged cyber attack forced the broadcaster off the air on Sunday morning.
The incident saw Nine unable to broadcast its breakfast program Weekend Today and forced the media company to bring in contingency plans in order to show NRL games and its evening news bulletin.
In a widely quoted all-staff email, Nine’s Director of People and Culture Vanessa Morley said the incident was being managed by its IT staff but did not further elaborate on the nature of the attack.
“Our IT teams are working around the clock to fully restore our systems which have primarily affected our broadcast and corporate business units,” Morley said.
“Publishing and radio systems continue to be operational.”
Morley directed Nine staff to work from home “until further notice” while the attack got cleared up.
Quoting sources “familiar with the discussions” at the media company, Nine’s metropolitan newspaper the Sydney Morning Herald said the attack was “some kind of ransomware” but that attackers have not made a ransom request.
The Australian Financial Review, also owned by Nine, claimed it was the MedusaLocker ransomware.
Data from the Nine attack has not yet appeared on dark web leak sites commonly used by ransomware criminal groups to extort their victims.
The media company's chief information and technology officer Damian Cronan said the attack would have ongoing effects at Nine while it is cleaned up.
“This will have a significant impact on business-as-usual processes across the organisation," he told staff in an email.
"We will be carefully assessing how we bring back controlled levels of connectivity into the network with an emphasis on service restoration and I want to be clear it will take time before all our systems are back up and running.”
Professor of Cyber Security at RMIT University, Matt Warren, said it appeared to be a ransomware attack that had been contained before spreading through all of Nine’s network.
“The way it has been described as hitting certain core functions suggests the network segmentation would have worked, meaning only part of their systems were impact,” he told Information Age.
“Nine also told people to work from home because people’s devices may be infected and bringing it back into the organisation may be a threat.
“The individual is a common attack vector which sees someone clicking a link and downloading malware onto the corporate system.”
Criminal gang or state actor?
The apparently absence of a ransom note may indicate the attack was only partially successful and makes attribution difficult.
Ransomware tends to be a financially-motivated cyber attack.
Attackers typically use phishing campaigns to get unsuspecting staff to click on a link that downloads an exploit package which aims to encrypt all files on a system and leaves a note demanding large bitcoin payments in exchange for a decryption key.
A cyber-attack on our systems has disrupted live broadcasts today however, we have put processes in place to ensure we’re able to resume our normal broadcast schedule.
— Channel9 (@Channel9) March 28, 2021
See the full story in tonight’s @9NewsAUS at 6.00pm. pic.twitter.com/N03bO33U3E
In recent years, attackers have also started exfiltrating data from the affected systems and threatening to publish it all on the dark web if the organisation doesn’t pay up in time.
Professor Warren told Information Age the financial motivations behind these attacks means ransomware is usually the domain of criminal gangs.
“But in the current political climate, it could also be state actors projecting power,” he said.
“This is first time we've seen a cyber attack against an Australian media organisation that has impacted live productions.
“That’s why the attribution process is going to be very important to see if they can determine where the attack came from and if it’s just a one-off from a criminal gang or part of a broader state attack.”
North Korean hackers famously brought down Sony’s IT network after the company released a movie poking fun at North Korean ruler King Jong Un.
Parliamentary IT disruption
As Nine was preparing its contingency plans, Federal Parliament struggled with its own IT disruption after a potential cyber attack.
The incident saw parliamentary staff and MPs lose access to emails over the weekend which Assistant Defence Minister Andrew Hastie said was related to “an external provider”.
“Once the issue was detected the connection to government systems was cut immediately as a precaution,” he said.
A Department of Parliamentary Services (DPS) staff member told Information Age the outage affected internal systems and was still under investigation.
Hastie said the Australian Cyber Security Centre was working with DPS in response to the incident.
“The government acted quickly, and we have the best minds in the world working to ensure Australia remains the most secure place to operate online.”
A government source told the ABC there was an attempted attack on DPS services, but that it was not particularly sophisticated, saying the attacker “tried so clumsily to compromise the DPS system in particular, that the system itself noticed and shut down”.
The government is currently looking into overhauling critical infrastructure protections that would see it intervene in organisations classed as 'critical infrastructure' during a national cyber emergency.
Speaking to 2GB on Monday, Hastie called for Australians to take a more proactive approach to cyber security.
"We need to start thinking about cyber not just in private terms, but as a new battlefield," he said.
"And we need to think about protecting Australian sovereignty through our digital sovereignty, not just our own individual security.
"So if every Australian is having complex passwords, patching their software, and if businesses are constantly refreshing and upgrading their digital systems, we'll be in a much better place as a country."