Sinclair TV Stations Targeted in Weekend Ransomware AttackMedia Giant Reports Broadcast Outages Nationwide; Investigation is Ongoing
Stay tuned for updates on this developing story.
See Also: Automating Security Operations
Sinclair Broadcast Group, Inc., which owns or operates 186 television stations across 87 U.S. markets, has been hit with a ransomware attack that has disrupted operations - including advertisements and certain newscasts and programming.
In an announcement, the company confirms that it detected a security incident on Oct. 16, and by the next day determined that certain servers and workstations in its environment were encrypted with ransomware. Certain office and operational networks were disrupted by the attack, it says. The company also confirms that data was siphoned from its network - though it is working to determine the type and severity of the loss.
Sinclair Broadcast Group also disclosed the incident in a U.S. Securities and Exchange Commission Form 8-K, used to keep shareholders apprised of qualifying major events.
Sinclair, based outside Baltimore, Maryland, reported nearly $6 billion in revenue in 2020 and is affiliated with Fox, ABC, CBS, NBC, and The CW. Its offerings also include 21 regional sports networks. Sinclair Broadcast Group reaches approximately 40% of U.S. households, according to the Baltimore Sun.
Announcing the attack Monday, the company writes: "Promptly upon detection of the security event, senior management was notified, and the company implemented its incident response plan, took measures to contain the incident, and launched an investigation."
The media company says legal counsel, a cybersecurity forensics firm and other incident response professionals have been engaged. The company has also notified law enforcement and other governmental agencies, it says. Related investigations are "ongoing."
In a statement shared with Information Security Media Group, a Sinclair Broadcast Group spokesperson did not offer specifics on the attack or ongoing disruption, but confirms: "We implemented our incident response and business continuity protocols, took measures to contain the incident, and launched an investigation. A cybersecurity firm that has assisted other companies in similar circumstances was engaged.
"We are working diligently to address the incident and to restore operations quickly and securely. As we work to complete the investigation, we will look for opportunities to enhance our existing security measures."
The spokesperson did not indicate whether Sinclair Broadcast Group has paid, or intends to pay, any ransom demanded by the hackers in order to decrypt systems.
John Bambenek, principal threat hunter at the security firm Netenrich, tells ISMG: "The interconnectedness of Sinclair with local stations did knock some stations off the air, showing that supply chain risks are still significant. Once again, we have another example of how brittle our technology can be when highly capable attackers go after targets likely with a small amount of security resources."
'Disruption to the Business'
In its announcement, the company says "the event has caused - and may continue to cause - disruption to parts of the company's business," including the delivery of local advertisements.
Sinclair also says its investigation is in the early stages and as such, it cannot determine whether the event "will have a material impact on its business, operations or financial results."
According to the industry publication FTVLive, the media company also experienced a cyber incident in July, and reportedly told its stations to change their system passwords.
Sinclair Broadcast Group’s content is delivered via multiple platforms, including over-the-air, multi-channel video program distributors, and digital and streaming platforms.
And according to early reports, attackers were reportedly able to exploit the company's corporate Active Directory domain, a database and set of services that manages users and network devices. The attack reportedly reached Sinclair's TV broadcast systems and triggered outages for both its business and affiliates, according to BleepingComputer.
With corporate assets disabled, some TV stations reportedly resorted to using Gmail to field news tips, and PowerPoint for on-screen graphics. According to reports and social media posts, others resorted to broadcasting weekend shows via Facebook Live.
What's more, in some U.S. markets, NFL broadcasts were interrupted by the incident - with games reportedly switching to different programming, including bowling.
On Twitter, one user complained of the mix-up, writing, "I don't know if it's @hulu or @FOX42KPTM but Chris Paul and Hannibal Buress bowling is not the packers-bears game."
Tweeting a response, Hulu acknowledged, "Apologies for the trouble! There's an issue with the feeds from some local stations that's currently under investigation."
Stations spanning from the East Coast to Texas reported technical issues Sunday, according to the cybersecurity publication The Record.
Addressing the Threat
On the incident, Oliver Tavakoli, CTO at the security firm Vectra, adds: "Taking media companies like Sinclair Broadcasting offline is certainly more visible than compromising the operations of a meat processor, such as JBS Holdings. Note that media companies like Sinclair employ a fair amount of specialized IoT, including cameras, microphones [and] broadcasting equipment, which have had a spotty patching record and may make it difficult to restore operations."
Bill Lawrence, a former cybersecurity instructor at the U.S. Naval Academy and currently CISO with the firm SecurityGate, tells ISMG, "Somehow, the attack didn't spread to Sinclair's 'master control' broadcast system, so if it was network segmentation or a higher level of protection and care for the 'crown jewels,' those are good practices to emulate."
Kayne McGladrey, an advisory board member for the Technology Alliance Group NW and cybersecurity strategist for the firm Ascent Solutions, says once the incident is resolved, Sinclair "should do an internal hot-wash" to identify lessons learned - allowing them to strengthen technical defenses and update/validate their incident response plan.
On these occurrences, however, Netenrich's Bambenek adds, "[But] until governments can find a way to make ransomware operators accountable, we will keep seeing stories like this."
The Sinclair attack falls within a busy year for ransomware - with similar, damaging hits on Colonial Pipeline, which temporarily disabled the East Coast's fuel supply; along with incidents with meat supplier JBS USA, and the managed service provider Kaseya, an attack that ultimately impacted 1,500 downstream organizations over the July Fourth holiday.
In response to this surge, the U.S. government has said it is taking a "whole-of-government" and, rather, "whole-of-nation" approach to curbing ransomware, including attempting to disable its financial infrastructure - for example, the use of cryptocurrencies and related laundering services. Additionally, the U.S. Department of the Treasury last month sanctioned a Russia-based cryptocurrency exchange Suex - the first such designation - for allegedly aiding ransomware actors (see: US Treasury Blacklists Russia-Based Crypto Exchange).
And last week, the White House National Security Council facilitated a two-day, 30-nation summit to counter ransomware, claiming progress had been made in identifying these attacks as a global security threat (see: US Convenes Global Ransomware Summit Without Russia).
This story has been updated to include additional analysis.