Please stand by, Sinclair Broadcast Group hit by ransomware

Sinclair Broadcast Group, a US media conglomerate that operates a number of TV stations, has confirmed that they have been the victim of a ransomware attack which has disrupted operations for at least several TV stations. 

The news of the ransomware attack was first reported by the Record, an online publication owned by the cybersecurity company Record Future, on Sunday.  

This Monday, Sinclair confirmed that both in a Securities and Exchange Commission filing and on their main site that “the Company identified and began to investigate and take steps to contain a potential security incident”. The company said they had also “identified that certain servers and workstations in its environment were encrypted with ransomware, and that certain office and operational networks were disrupted”. 

The Hunt Valley-based media company further disclosed that data had been “taken from the Company’s network”, and that they “are working to determine what information the data contained and will take other actions as appropriate based on its review”, although the nature of the data involved remains currently undisclosed. 

The company has “implemented its incident response plan, took measures to contain the incident, and launched an investigation” and “also notified law enforcement and other governmental agencies”.  

Attack Surface 

While Sinclair has not officially disclosed the exact exploit, a source told The Record that “Internally, it’s bad”. Apparently, there was difficulty isolating the attack due to many sections of the Sinclair IT network being interconnected via the same Active Directory domain, making the threat actors able to reach the broadcasting systems used for local TV stations. 

Doug Madory, director of Internet analysis at Kentik, a network observability company, told the Washington Post that, after a brief period of activity, a number which Sinclair utilises for routing online traffic went dark Sunday night. This apparently could be either an indicator of malicious actors exfiltrating data or simply the company’s attempts to remediate.  

On the bright side, it appears that the threat actors didn’t manage to reach Sinclair’s “the master control” system, which has allowed the broadcasting company to mitigate the cyber attack to extent by replacing local feeds with national ones and syndicated programs like talk shows and sitcoms in a bid to at least remain on air some capacity. 

Local stations, which can have practically back-to-back newscasting hours, often rely more on writing, editing or scheduling software for daily operations. 

Effects on local broadcasts 

Sinclair, which operates 185 TV stations in 86 markets, has not officially confirmed the exact number of affected services. However, tweets on social media from reporters and staffers have confirmed that the list of disrupted services include: 

• WLUK Fox 11 in Wisconsin. 
• KHQA, Channel 7, in Hannibal, Missouri.  
• CBS, Channel 6, in Albany, New York State. 
• KOMO News in Seattle. 
• KATU, Channel 2, in Portland, Oregon. 

Much of this information filtered through social media channels. Theron Zahn, a meteorologist and weather forecaster for KOMO News, posted to Twitter on Sunday that “We are not on the air this morning due to technical difficulties. We are working to fix them as soon as possible”. 

KOMO weren’t alone in informing their viewers of technical difficulties, either. “We are on the air, still dealing with significant technical issues… So our newscast looks a bit different today. But, we’re here! Bear with us as we work through the challenges,” said Hannah Olsen, a traffic reporter for KATU News, which serves Portland and Southwest Washington state, in a Twitter post. 

Dan McCarthy, a fellow reporter at KATU News, tweeted a “Shoutout to our spectacular AM team for making it work despite company-wide technical difficulties”. 

While the station was able to air on Monday morning, it was still experiencing difficulties. 

Meanwhile, Columbus TV station was completely taken off air. “Technical issues have kicked us off the air this morning,” said Phil Kelly, a host at the station, in a Twitter post. “It’s a corporate wide problem that our engineers are working hard to fix. Hopefully see you soon?”. 

Some journalists have taken to delivering broadcasts and news updates on local news, traffic and weather via posts on Twitter and Facebook Live, along with video clips for highlights. 

Further impacts 

There were also further impacts against communication channels from the ransomware attack, with anonymous sources at the impacted TV stations confirming the list of things affected includes: 

• Internal networks. 
• Email.  
• Phones.  
• File videos and graphics. 
• Anything that requires company logins. 

With the attack on Sinclair affecting all these factors, Bill Lawrence, CISO at SecurityGate, said “it would be hard for them to order a pizza together, much less work on business continuity”. Unsurprisingly, disruptions are expected to continue as Sinclair works to overcome these hurdles and recover. 

Sinclair shares closed Monday at 26.39 dollars, a downfall of 2.9 percent, showing another impact. And, the attack has forced the company to agree to a short-term extension on its on-going negotiations with Dish. 

Cyber attacks on the rise 

Sinclair joins an ever-increasing list of both large and small businesses, along with schools, hospitals, universities and other institutions that have become victims of ransomware, with hackers using the malware to encrypt victim’s data, often critical to operations, and holding them hostage under lock-and-key until, theoretically, the victim has paid the ransom.  

Due to their effectiveness and ransomware-as-a-service groups, ransomware attacks have increased exponentially, with an increase of 288 percent for the first half of 2021.  

After the ransomware attack on the US Colonial Pipeline, the US stepped its game by outlining the 16 critical infrastructure sectors which would garner a response from the US government under CISA. Last week, President Biden and his administration had a two-day meeting with over 30 countries to discuss the global security threat that ransomware poses and calling for international cooperation in order to combat it. 

However, so far, ransomware attacks have not yet slowed in their increase, with some sectors like the banking industry seeing a whopping 1318 percent increase in 2021 alone. 

Sinclair is the latest in a long line of victims which, for the foreseeable future, is only set to increase. 

Leigh Anne Arnold, a spokeswoman for Sinclair, has stated the company is “working diligently to address the incident and to restore operations quickly and securely”. At time of publication, the identity of the threat actors responsible for the attack remains unclear.