The first sign of trouble came via an early-morning IT update last Sunday. Access to systems and services across the Nine Network was down and the issue was being investigated.
Updates of this sort are fairly routine in a large organisation and more often than not they amount to little more than a minor inconvenience. This one, however, was the first of many subsequent messages that offered little relief.
As it turns out, the system disruption picked up on Sunday – the gravity of which was relayed to Nine’s new boss, Mike Sneesby, as early as 3.30am – was just the first ripple from a ransomware attack that had compromised Nine’s corporate network. The assault not only temporarily knocked out Nine’s ability to broadcast programs in Sydney, it also threw the print production of its newspapers – The Age, The Sydney Morning Herald and the Australian Financial Review – into disarray.
Between 9.30am and 10.00am the full force of the hack, the largest cyber attack on a media company in Australia’s history, started to filter through to the business. The corporate network had to be unplugged in a bid to limit the spread of the contagion and staff were told to work from home. Every part of the business was affected, including payroll, and staff were told not to open suspicious emails or messages on social media platforms such as LinkedIn.
Nine’s broadcast unit and its publishing arm – which wasn’t the target of the hackers – are still slowly finding their feet. Broadcasts are back and the papers haven’t stopped being printed, but loss of the digital framework that underpins production has pushed the organisation to its limits. At this point Nine knows neither the identity nor motives of the hacker, although preliminary examinations suggest the use of ransomware software.
It could be months before things return to normal and while forensic teams continue trying to pinpoint the source of the attack, information security experts say carrying out such attacks is becoming easier every day.
Ransomware used, but no ransom demand
Ransomware attacks generally see hackers ask for a payment to undo the damage they cause. So far no such demand has been received by Nine.
Marc Rogers, vice-president of security strategy at digital identity management company Okta and a former hacker himself, says even a garden-variety hacker can easily gain access to the sophisticated malicious software that was once the sole preserve of state actors.
“What’s happened now is the same thing that we saw in the banking industry with trojans [malicious software that impersonates legitimate applications to take control of a network],” he says. “As soon as there is a really good tool family out there, it starts being lent out and it starts being sold.”
He adds that the Medusa family of ransomware, which has been linked to the Nine attack, is a good case study of this. Any criminal enterprise can lease a Medusa kit and potentially a separate kit that compares a target organisation against an up-to-date list of vulnerabilities in order to gain access.
“The people who operate it don’t have to be that sophisticated. If you have the money, you can go out and buy point-and-click tools to break into things,” he said.
Joseph Failla, head of cybersecurity at consulting firm Accenture Australia, says a ransomware attack with no ransom demand is highly unusual.
He suggests that the hackers may not be finished just yet, warning that the attack could be followed up with another.
Nine says it does not appear that the attackers have stolen any data.
“They’ve been there for a while,” Failla says. “They may be back, or still be there. Us in the trade would say they’ve probably taken something or planted something. It’s not over yet.”
Failla adds that states often outsource various pieces of their attacks to other players, sponsoring multiple criminal gangs or hacker groups. In this way a large number of targets can be hit and primed for further attack, while making attribution very difficult.
“It deflects from them a bit, and also if you can get more [hackers] doing the same thing it can make it really hard for targets,” he says.
“[States] also often want to test out the tools the gangs are playing with, to see if they can make use of them or need to protect themselves from those guys.”
If the hackers behind the Nine attack were indeed tied up with or sponsored by a state, Failla says it was highly unlikely they would ever be prosecuted. And the hackers know this.
“A lot of state-sponsored hackers face no extradition even if they’re caught. And they take a lot of care to make sure that, even by accident, they’re not hacking their motherland or friendly associates, so they’re protected.”
The silver bullet fallacy
Nine is by no means the only high-profile organisation to have been breached in recent months. The attack on it coincided with one on Parliament House in Canberra, which forced the federal government’s email network to disconnect.
The last couple of months have also seen Melbourne-based Eastern Health, which operates Box Hill, Maroondah, Healesville and Angliss hospitals, and RMIT university come under attack. Bluescope Steel, beverage giant Lion Australia and Taylors Wines are just a few big scalps claimed by hackers over the last 12 months and the full list of victims is likely much longer.
Kurt Hansen, co-chief executive of ASX-listed cybersecurity consultancy Tesserent, says while boardrooms across Australia understand the risk, very few of them fully appreciate the extent of the investment and the approach needed to not just protect themselves but more importantly to get back on their feet quickly after a hack.
“Some stakeholders budgeting for cybersecurity forget that it’s a bit like paying insurance – you have to keep investing.
“The threats, the technology and the processes are always changing and organisations have to keep pace. Our financial institutions have been dealing with these issues for decades but the attacks are now moving down to other industries,” Hansen says.
As the hackers expand their scope, Hansen says organisations cannot rely on any single piece of technology for safety.
“One problem is that there are a lot of people out there who will say they have the silver bullet but the reality is that there’s no such thing.”
“Now there’s good software and there’s average software, there are different ways of protecting an organisation, but the reality is that a combination of technology, people and process is what makes an organisation more resilient,” Hansen says.
The human element just might be the most important one when it comes to blunting the appoaches of cyber criminals, according to Claire Pales, a director at boutique cyber security advisory firm 27 Lanterns.
“Being resilient to something like ransomware does cost money, continual investment is absolutely needed and these attacks aren’t just a technical issue or a problem for the IT side of a business,” she says.
“It’s not just about financial investment, it’s also about education of the staff and the board.”
Most organisations in Australia would fail the “Essential Eight” controls for mitigating cyber attacks recommended by the Australian Signals Directorate (ASD).
Implementing these measures, which range from controlling which applications are allowed inside a network to diligently patching the bugs that regularly crop up in software used by organisation, are not mandatory and exert a burden on organisations, which may explain the complacency.
Pales says cyber security training inside an organisation may need to take a leaf out of the good old-fashioned fire drill, where every member of an organisation would know what to do in case of a hack, irrespective of how much they know about the technology.
“This problem can’t be just solved by the technical team, everybody inside an organisation needs to be talking about this because a platform doesn’t cause an incident, there’s alway a person on the other end,” she says. “They open an email or click on a malicious link – it’s humans that we need to be thinking about.”