In its evening news bulletin on Monday, a day on which it managed to broadcast the whole day, Channel Nine said the two countries were suspected because the network had run a program critical of North Korean leader Kim Jong-un on its 60 Minutes program on Sunday night.
The attack was made public on Sunday morning, a day on which Nine could not broadcast its popular NRL Sunday Footy Show, though it managed to show the afternoon's rugby league games.
Russia and North Korea have been singled out as suspects in the biggest-ever cyber attack on an Australian media company – and experts say it could be retaliation from recent attention by the Nine Network. @DamoNews #9News pic.twitter.com/6YzQuUVjj7— 9News Australia (@9NewsAUS) March 29, 2021
On Monday night, Nine ran a program about Russia's use of chemical poisons to kill its enemies abroad, as part of its new Under Investigation series, and speculation over Moscow's involvement has sprung from this.
Sneesby said a cross-business working group had been set up to decide on which services needed to be restored sooner.
Cronan said the first 24 hours since the attack was noticed had been focused on containment, which he said had been successful.
Some not-polluted-with-any-evidence shitposts about the Channel Nine “cyber attack”.— Christopher Biggs (@unixbigot) March 29, 2021
1/ If this is “one of the most sophisticated attacks expert security consultants have ever seen”, maybe this says more about your experts than your attacker.
"The consequence of this containment strategy is that our corporate network has been disconnected from the Internet, and all internal networks separated from one another (e.g. Broadcast from Publishing, Sydney from Melbourne etc). Other upstream and downstream providers have also been disconnected," he added.
All staff were given instructions on how to run diagnostics on their laptops to ensure that any infected work streams could be isolated.
"We will be carefully assessing how we bring back controlled levels of connectivity into the network with an emphasis on service restoration, and I want to be clear it will take time before all our systems are back up and running," Cronan said.
Nine also said in its news broadcast that it had faced issues getting its newspapers — the company owns The Age, the Sydney Morning Herald and the Australian Financial Review — out, though there were more problems with publishing the online editions than the print publications.
In a note to subscribers, which was posted on Monday afternoon and then updated at 7.07pm, AFR editor-in-chief Michael Stutchbury and editor Paul Bailey said: "Production of the Australian Financial Review continues to be disrupted by the cyber attack on Nine on Sunday.
"To minimise disruption for subscribers while we work to restore our systems, all of our articles have been made available to read without logging in.
"Access to subscriber-only features has now been restored including for Today’s Paper, Newsfeed, recently read, saved articles, markets data and company pages. Subscribers who cannot access the ipad and phone apps can read all of our articles on afr.com. Email newsletters are being sent as usual.
"We also have limited access to our print production system and are unable to use new photographs or create graphics. We are working to return production of the print edition to its usual high quality."
Given that the attack was on Nine's Sydney offices, most of the TV and newspaper work has been done from Melbourne, with staff working from home for the most part.
In the case of the TV output, the company has had to split between Melbourne and Sydney to run a full schedule on Monday.
Ransomware has been suspected to be used for the attack but Nine is still claiming it has not received any ransom note.