The first sign of trouble came via an early-morning IT update last Sunday. Access to systems and services across the Nine Network was down and the issue was being investigated.
Updates of this sort are fairly routine in a large organisation and more often than not they amount to little more than a minor inconvenience. This one, however, was the first of many subsequent messages that offered little relief.
As it turns out, the system disruption picked up on Sunday – the gravity of which was relayed to Nine’s new boss, Mike Sneesby, as early as 3.30am – was just the first ripple from a ransomware attack that had compromised Nine’s corporate network. The assault not only temporarily knocked out Nine’s ability to broadcast programs in Sydney, it also threw the print production of its newspapers – The Age, The Sydney Morning Herald and the Australian Financial Review – into disarray.
Between 9.30am and 10.00am the full force of the hack, the largest cyber attack on a media company in Australia’s history, started to filter through to the business. The corporate network had to be unplugged in a bid to limit the spread of the contagion and staff were told to work from home. Every part of the business was affected, including payroll, and staff were told not to open suspicious emails or messages on social media platforms such as LinkedIn.
Nine’s broadcast unit and its publishing arm – which wasn’t the target of the hackers – are still slowly finding their feet. Broadcasts are back and the papers haven’t stopped being printed, but loss of the digital framework that underpins production has pushed the organisation to its limits. At this point Nine knows neither the identity nor motives of the hacker, although preliminary examinations suggest the use of ransomware software.
It could be months before things return to normal and while forensic teams continue trying to pinpoint the source of the attack, information security experts say carrying out such attacks is becoming easier every day.
Ransomware used, but no ransom demand