Sinclair confirms ransomware attack after TV station disruptions

The company suffered another cyberattack in July that forced them to reset all shared administration systems at all of their stations.

Sinclair Broadcast Group -- which controls hundreds of TV stations across the US -- has confirmed a ransomware attack on certain servers and workstations.

In a statement and notice sent to the SEC, Sinclair said it was notified of a cybersecurity incident on Saturday, October 16. By Sunday, the company confirmed that it was a ransomware attack and backed up what many online had been reporting -- outages at numerous local TV stations. 

"Data also was taken from the Company's network. The Company is working to determine what information the data contained and will take other actions as appropriate based on its review. Promptly upon detection of the security event, senior management was notified, and the company implemented its incident response plan, took measures to contain the incident, and launched an investigation," Sinclair said. 

"Legal counsel, a cybersecurity forensic firm, and other incident response professionals were engaged. The company also notified law enforcement and other governmental agencies. The forensic investigation remains ongoing. While the Company is focused on actively managing this security event, the event has caused – and may continue to cause – disruption to parts of the company's business, including certain aspects of its provision of local advertisements by its local broadcast stations on behalf of its customers." 

The company went on to say that it is unclear what kind of impact the attack will have on its "business, operations or financial results." It did not say which ransomware group was behind the attack and did not respond to requests for comment. 

Sinclair controls 21 regional sports network brands while owning and operating 185 television stations in 86 markets. The company also controls the Tennis Channel as well as Stadium and had an annual revenue of $5.9 billion in 2020.

The attack was first reported by The Record after viewers took to Twitter and Reddit to report confusion over outages in their local markets. 

Internal sources told The Record that the attack involved the company's internal corporate network, email servers, phone services, and the broadcasting systems of local TV stations. Dozens of channels were unable to show local morning shows and NFL games on Sunday. 

Some channels were able to resume broadcasts because the attack did not reach Sinclair's "master control" broadcast system. 

But the attack is still crippling dozens of stations even as others return to normal. 

The company suffered another cyberattack in July that forced them to reset all shared administration systems at all of their stations. 

This is the second ransomware incident targeting news stations this year, with Cox Media Group recently admitting that it was hit with a ransomware attack in June

Ransomware experts like Darktrace's Justin Fier said that for broadcasters and media, these attacks don't only disrupt operations but potentially give bad actors a platform to distribute disinformation on a global stage. 

"In the case of the Sinclair breach, simply having access to the broadcast network may itself be more valuable for attackers than a ransomware payment," Fier said. 

"The reality is that the organization's back is against the wall -- it is clear that the security team at Sinclair have been caught off guard and outpaced and now must decide between system downtime or paying a hefty ransom."

Others noted that it was not surprising to see the attack occur on a weekend when ransomware actors know IT departments are working with skeleton crews. 

Bill Lawrence, CISO at SecurityGate, noted that the attack didn't spread to Sinclair's 'master control' broadcast system, indicating they may be using network segmentation or a higher level of protection and care for the 'crown jewels.' 

"Also, they lost their internal network, email, phones, along with local broadcasting systems. For your next incident response plan drill, put the participants in separate rooms and forbid the use of company email or phone calls," Lawrence said. 

"It would be hard for them to order a pizza together, much less work on business continuity."