Australian TV Channel Disrupted; Ransomware SuspectedAlso, Parliament's Email System Shut Down After Clumsy Compromise Attempt
A major Australian broadcaster was hit over the weekend by what was likely ransomware, and the country's federal Parliament was affected by what is described as a clumsy incident that nonetheless triggered a shutdown of its email system.
Nine Entertainment, which runs Channel 9, resumed broadcasting later on Sunday after a cyber incident in the morning disrupted one of its live shows. The incident also affected its email system and other production and editing systems.
The company said the incident was "a sophisticated and calculated attack and has fundamentally disrupted how the network delivers and presents news." Nine Entertainment also owns The Sydney Morning Herald, The Age and The Australian Financial Review newspapers.
The technology that brings you 9 News every night is under attack by hackers.— 9News Australia (@9NewsAUS) March 28, 2021
Whether it’s criminal sabotage or the work of a foreign nation is still being investigated, but this attack could reveal a nationwide vulnerability. @MarkWBurrows #9News pic.twitter.com/YL8l1DLNVV
The Sydney Morning Herald writes that "experts believe it is some kind of ransomware likely created by a state-based actor." The company, however, has not received a ransom note.
The Australian Financial Review writes that the Nine Network shifted its broadcasting operations from Sydney to Melbourne as a result of the attack and says the event's impact could last for days. Later on Monday, the newspaper reported that an email sent to staff suggested the malware could be the MedusaLocker ransomware due to a file left on computers called "Recovery_ Instructions.html."
On Monday, Nine Entertainment wrote that "a cyber attack of this scale on a media company in Australia is unprecedented."
The problems prevented Channel 9 from airing its popular Weekend Today morning show for a few hours on Sunday.
In a video report on Sunday, Nine Entertainment didn't specify what might have caused the problems but referenced the ransomware attacks against shipping company Toll Group, which was hit twice early last year.
Toll Group was first hit by the Mailto ransomware in February and then by the Nefilim ransomware in May. The company refused to pay a ransom (see: Toll Group Says Ransomware Attackers Stole Data).
Organizations often struggle to get the security basics right, which is in part why ransomware is flourishing, says Alexei Doudkine, co-founder and offensive director at Volkis, a penetration testing and consulting company based in Sydney.
"You don't buy a car from a dealership and drive it into a seat-belt workshop," Doudkine says. "That's what we're doing now with security."
The Australian Cyber Security Center said last September that ransomware is one of the most significant threats to businesses and government agencies. Cybercriminals often use stolen login credentials or gain access to tools such as remote desktop protocol to deploy ransomware, it said.
Many attacks could be thwarted by good cyber hygiene, the ACSC said (see: Stung by Ransomware, Australia Urges Better Preparation).
Parliament Email System Shut Down
In a separate incident over the weekend, members of the federal Australian Parliament were left without access to email.
The ABC reports of an attempt to compromise an external provider for the Department of Parliamentary Services, which is responsible for the chamber's IT services.
An anonymous source tells the ABC that an intruder "tried so clumsily to compromise the DPS system in particular that the system itself noticed and shut down exactly like [it was] designed to do."
The Australian Financial Review reported Monday that an email sent by the DPS warned that the shutdown affected updates to email, calendars and contact applications.
The Parliament's email system has been targeted before. In February 2019, officials said the system was breached, but there was no evidence that data was stolen. Later than month, Prime Minster Scott Morrison attributed the incident to a "sophisticated state actor."
Reuters reported in September 2019 that Australia’s intelligence agencies believed China’s Ministry of State Security was involved in the attack against Parliament as well as attacks against three political parties before a general election in May 2019. China disputed the allegation.
Two months later, Sen. Scott Ryan said an investigation into the attack on Parliament uncovered a watering-hole type of attack in which a legitimate external website had been compromised. Ryan said that "caused malware to be injected into the Parliamentary Computing Network," presumably because legislators were infected with malware by the website (see: Compromised Website Led to Australia Parliament Hack).