Ajay Unni, Founder and CEO, StickmanCyber, was in conversation with The Sydney Morning Herald after the recent cyber attack at Australia’s largest media company, Nine Entertainment Co.
Read the full article below as featured in The Sydney Morning Herald.
The Australian Federal Police and NSW Police have been asked to help investigate the cyber attack that has crippled Nine Entertainment Co, as Australia’s largest media company begins to restore its internal technology network.
A Nine spokesperson said no data had been removed from its computer systems as of Tuesday afternoon, but attempts to isolate the attacker continues to affect multiple parts of the business, including its publishing operations. Nine’s publications include The Sydney Morning Herald and The Age as well as The Australian Financial Review. The company also owns the television network that airs shows such as Married at First Sight and The Block, streaming service Stan and radio stations such as 2GB and 3AW.
"As a precautionary measure, we isolated our network in order to protect the systems and data held on them,” a Nine spokesperson said. “At this stage there is no indication any data has been removed from our systems. We are now moving to restore full services."
Late on Tuesday the company also warned staff to be vigilant about suspicious external communications and asked them to not engage with emails, social media messages or invitations from people claiming to be connected to the attack.
“This is an important reminder that if you are contacted online from anyone claiming to be involved in the recent cyber-attack, do not click or engage with the content,” the note said. “This includes: Emails from addresses you do not recognise, or that look suspicious; or social media invitations, requests or messages from people you don’t know.”
Sources familiar with Nine’s discussions said it had contacted the AFP and NSW Police units about the attack, in addition to speaking with the Australian Signals Directorate’s top cyber security agency on Sunday. NSW Police declined to comment while a spokesperson for the AFP said it did not comment on matters until formal reports are submitted.
Nine’s spokesperson declined to comment on how many computers were affected in the attack, which targeted its corporate network. However, the computers impacted are from the broadcast and corporate divisions, which are occupied by more than 2000 staff.
Newly appointed chief executive Mike Sneesby told staff on Monday night the attack, which took place on Sunday morning and caused major issues for live broadcasts, was “significant” and had a high potential to disrupt the business. However, he said the response from staff allowed the immediate impact to be mitigated.
“We are conscious some of the systems you normally rely on each day have been impacted. It’s important that you continue to work with your managers on alternate processes, but acknowledge there are some tasks you will not be able to be complete at this stage,” Mr Sneesby said.
Nine spoke to external security experts who believed it to be some kind of ransomware or malware likely created by a state-based actor, according to people familiar with the talks.
The company has since engaged forensics and recovery firms and now believes the attacker used Nine’s network to send fraudulent updates to workers’ computers. These updates encrypted data and made the machines unresponsive. The computers are still affected but have been isolated to stop the spread of the attack.
No requests for ransom have been made so far, but sources close to Nine’s internal talks said a ransomware strain called MedusaLocker may be behind the attack. Medusa affects individual computers and systems and is often used by criminals that want some form of financial pay-off.
To mitigate the issues in the publishing division, the Financial Review removed its paywall for subscribers and reduced the size of its print edition to 24 pages on Tuesday. The Financial Review, Herald and The Age were unable to use the usual production technology and design functions and could not create graphics because of issues related to containing and isolating the attacker.
Nine is not the only company to be affected by a cyber security breach in recent months. In early March, local companies were caught up in a massive breach that used four major Microsoft bugs to access computer systems. Late last year, NSW Health and others emerged as victims of a huge global series of hacks that injected malicious code into another commonly used software called Orion.
Ajay Unni, founder of Stickman Cyber and member of the 2020 NSW Government’s Cyber Security Task Force, said the attack could have a “long-lasting impact” on the company.
“The attackers could have installed malicious software in different parts of the network, and will now wait and watch,” Mr Unni said. “This is what we call an Advanced Persistent Threat.”
“Ransomware in many cases is irreversible, unless the victim gets a hold of the keys to decrypt the encryption algorithm which are normally very complex.
“One of the most common ways to recover your data and services after a ransomware attack, is to restore from an earlier backup, but recently we have seen hackers also encrypting the backups. This could be why it is taking the Nine Network so long to restore their services. In such a situation, the only other way to work around this is to go through each backup until you find one that has not been encrypted by the hacker but in doing so, you have the impact of lost data.”
Nine’s shares fell 2.4 per cent to $2.85 the day after the attack took place. The stock was unchanged on Tuesday.