Monday, 18 Nov 2024

Why was Nine hacked and how do cyber attacks actually work?

Anything that’s online can be attacked. But what do hackers want? And what can be done to stop them?

The media report on cyber attacks almost every week. But this time the hack hit inside the house, knocking one of Australia’s biggest media companies, Nine Entertainment, off air in Sydney on Sunday morning.

The attack on Nine, which also owns this masthead, bears all the hallmarks of ransomware – where criminals encrypt a computer’s data to make it inaccessible and then demand money to unlock it. Only there have been no such demands.

And the attack was, as cyber experts say, sophisticated, suggesting the hackers were not your garden-variety internet criminals. They had considerable resources and expertise at their disposal, in the realm of serious organised crime or even a nation state. If a foreign country is behind the attack two suspects sit squarely in view: China and Russia.

So what do we know about the hack so far? How do attacks like this generally work? And what can be done about them?

The mystery remains about who is behing the Nine hack.Credit:Shutterstock

What happened?

On Saturday night, the computers at Channel Nine in Sydney began acting strangely. By Sunday morning, as the Today show was gearing up to go to air, many of them didn’t work at all. A sweeping attack had hit the corporate network, paralysing its systems. The Age, The Sydney Morning Herald and The Australian Financial Review were not directly affected but defensive measures taken by Nine’s technology team did disrupt some aspects of print production. Nevertheless, all newspapers made the presses. And, as redundancies were brought online to replace the networks now in lockdown, both the rugby and a national bulletin went to air that night.

By Monday morning, Today was back on screens, albeit with some hand-drawn graphics and moments of dead air. Weekday host Karl Stefanovic quipped: “Bear with us as we try and work around these technical issues caused by Vladimir [Putin] … We’re not blaming anybody in particular.”

Behind the scenes, cyber experts are now scrambling to untangle the attack and get regular systems back online. Many staff are working from home using their own networks. Nine has asked government spy agency the Australian Signals Directorate as well as other external experts for help investigating the attack.

This is not the first hack on a media company, not even the first that could have been launched by a foreign state. Chinese hackers hit The New York Times to mine for sensitive information in 2013, and a destructive hack that forced a French TV network off air in 2015 at first seemed to be the work of extremists, before it was traced back to Russian hackers.

But the Nine cyber attack is almost certainly the largest on an Australian media company to date.

At the University of NSW’s cyber centre, former cyber cop Nigel Phair says it is still too early to answer most of the key questions around the hack.

While hackers tend to leave some digital fingerprints behind them, they are clever too, often covering their tracks and hiding in systems for weeks, even months, before they are detected. The extent of the breach at Nine and how the hackers first got into company systems is not yet known.

But sources close to Nine say security experts analysing the detail so far have reported they had not seen this kind of attack before in Australia. It seemed to use a new variant of malware or ransomware, the sources said, casting suspicion on a state-based actor.

What does ‘state actor’ mean? And did one hack Nine?

Whenever a hack is deemed sophisticated, speculation inevitably turns to “state actors”, be they cyber soldiers attached directly to rival governments or hackers hired by states to attack others. This murky definition makes attributing attacks cleanly to countries difficult. Sometimes the answer to whether it’s a state or a criminal is that it’s both, Phair says. “Criminals go where the money is.”

While the United States, China and Russia are thought to have the most advanced cyber capabilities, Israel, Iran, the United Kingdom, even Iran and North Korea, also have formidable cyber armies. In Australia, most attacks considered sophisticated enough to be attributed to another state (from data grabs at our top universities to the infiltration of the Australian Parliament itself) are thought to have come from China. But, while diplomatic tensions have escalated considerably between China and Australia of late, China has mostly limited itself to espionage in the West, stealing secrets rather than trying to damage or ransom.

Russia, Iran and North Korea, meanwhile, are more brazen in their use of cyber attacks for political point-scoring. When Sony Pictures was making a comedy critical of North Korean leader Kim Jong-un, the nation hit the US film studio with a devastating attack. Likewise, the broadcast of the 2018 Winter Olympics was interrupted by hacks following Russia’s doping scandal. The attacks were even codenamed Sour Grapes by intelligence agencies linking them back to Russia.

Russian President Vladimir Putin.Credit:AP

“I would suggest our government would have a reasonably good idea about who is behind it from the [hacking] signature,” Phair says of the Nine hack. “That might give them some idea about the motivation. Is it posturing because it’s a big, public entity, they’re showing what they can do, we can actually take TV shows off air?”

This idea of a country flexing its cyber arsenal has been floated before to explain the otherwise lack of obvious motive behind Russian hacks on that French TV network in 2015.

But others have suggested Nine’s reporting may have made it a specific target. As diplomatic tensions escalate between China and Australia, The Herald and The Age have investigated Chinese government influence, spy agencies and the country’s involvement in hacking.

Separately, Channel 9’s Under Investigation program has been working on a story that looks at Russian President Vladimir Putin’s campaign of chemical assassination. The timing of the computer blackout, the day before that program was due to air on Monday night, has raised eyebrows.

Still, independent security researcher Troy Hunt says cybercriminals come with increasingly formidable cyber tools now, too, and should not be discounted.

If the attack is not by a state actor then a ransom demand may yet be forthcoming. Or, in some cases, such as the devastating NotPetya attack by Russian hackers on Ukraine in 2017, a piece of malware will pose as ransomware, demanding money or bitcoin to unlock corrupted files, which hackers have no intention of restoring. Destruction, not money, is the goal. “Is it really ransomware then?” Phair wonders. “We don’t know yet in [Nine’s] case either.”

What can be done about it?

Nine is not the only Australian company hit by hackers. The world is now in an arms race between security experts looking to patch products and hackers looking to exploit vulnerabilities. Just this month, local companies were caught up in a massive breach that used four major Microsoft bugs to access computer systems. Late last year, NSW Health and others emerged as victims of a huge global series of hacks that injected malicious code into another commonly used software called Orion. Both these hacks, thought to be linked to the Chinese and Russian governments respectively, were highly sophisticated and collected a huge amount of data from thousands of companies around the world.

Australian security agencies say the threat is escalating all the time and the federal government has been investing more in developing cyber forces to combat it. On Monday, Treasurer Josh Frydenberg said the cyber threat “was more pervasive than people think” and it’s “not going away, whether its other governments or whether its criminal organisations, cyber security is the new battlefront”.

In fact, the same day that the Nine hack occurred, federal MPs and senators such as Frydenberg found themselves suddenly cut off from their emails, in an incident now under investigation but reportedly not considered to be sophisticated nor connected to the Nine attack.

Experts say that while Australia is now taking the cyber threat more seriously, it is far from leading the pack. “We don’t want to be the low-hanging fruit,” as Phair puts it.

Anyone can be vulnerable to cybercriminals looking to score cash and the digital lives of citizens are often collateral damage when nations do battle online.

While ransomware and malware attacks on companies are notoriously difficult to investigate and prosecute, experts say governments are actually getting better at attributing attacks to a particular nation. It is often politics that stops outright finger-pointing.

No one wants to tip the skirmishes in cyberspace into real-world warfare. And calling out another nation’s hacks might make them more likely to call out your own. Still, Phair and other experts argue that the silence on cyberspace is only making the stakes higher, as nations push the boundaries without fear of retaliation.

“There needs to be retribution,” says Phair. He argues that governments should more regularly call out and sanction those behind major attacks, as the US did when North Korea hacked Sony.

Many attacks also go unreported by companies reluctant to draw attention to their own vulnerabilities. Companies have to report data breaches to the Office of the Australian Information Commissioner (OAIC) only if it involves the loss of personal data that could result in “serious harm”, and “there’s no clear definition for what serious harm means,” Phair says.

“We need to have a serious discussion about laws stopping people from paying for ransomware. Because the only reason criminals hit Australia is that we’re paying. If no one is going to pay, they will go somewhere else.”

Of course, Phair says that many businesses are still in the dark about how to report cyber attacks, let alone defend themselves from them. Small to medium businesses, in particular, need more resources and support from the government, he says.

But they also need to consider for themselves building security and risk management into the heart of their operations.

“How often do you hear of a bank getting hacked?” Phair asks.

“[Businesses have] got stand on their own two feet too, they can’t rely on the government to come in and fix everything.”

With additional reporting by Tim Biggs

If you'd like some expert background on an issue or a news event, drop us a line at [email protected] or [email protected]. Read more explainers here.

Most Viewed in National

Source: Read Full Article

Related Posts