UPDATE: Oct. 21, 2021: Researchers have linked the ransomware attack against Sinclair Broadcast to sanctioned hacking organization Evil Corp., which used the Macaw malware variant to access the network, according to a spokesperson for Recorded Future. Sinclair Broadcast officials did not return a request for comment.
Macaw is linked to the WastedLocker ransomware strain. Researchers say the same organization and strain is connected to the attack on Olympus, which began Oct. 10.
"In the best interests of the security of our system, our customers and their patients, we will not comment on criminal actors and their actions, if any," a spokesperson for Olympus said via email. "We are committed to providing appropriate notifications to impacted stakeholders."
- Sinclair Broadcast Group, one of the largest local news providers in the U.S., confirmed it was hit by ransomware over the weekend, according to a regulatory filing with the Securities and Exchange Commission. The attackers encrypted a number of workstations and servers inside the company and the incident led to disruptions of several local broadcasts and impacted internal office functions, according to the filing.
- The company also confirmed data was stolen in connection with the attack, however officials are trying to figure out exactly what information was removed, according to the filing. Senior company executives were notified and the company launched an internal investigation after taking steps to contain the attack and implement an incident response plan.
- Sinclair engaged an outside cyber forensics team, legal counsel and other professionals, and notified law enforcement and other government agencies, according to the filing. No details were provided about whether a ransom was demanded or who was behind the attack.
The attack played out over the weekend as local news broadcasts were interrupted with various technical issues. News anchors warned viewers that broadcast feeds from Maryland to Ohio and beyond had been affected.
The company owns, operates or provides services to 185 television stations in 86 markets across the country. The company also owns or operates 21 sports network brands. Sinclair responded quickly due in part to the obvious impact the attack was happening on its live newscasts and other programming.
Sinclair is not the only media company recently affected by a cyberattack. Cox Media earlier this month confirmed it was attacked by an unauthorized actor in June that created a backup copy of data from its computer networks and tried to remove a copy of that data from its network. Cox retained outside cyber experts and also notified the FBI, according to the filing.
Initial reports of the Sinclair incident did not say how long the attackers were inside the company's IT network, but security researchers said they could have lingered inside the system anywhere from several days to several months.
"Some ransomware operators prefer to take their time, while others strike quickly," said John Shier, Sophos senior security advisor. "Regaining control of the environment is usually the first step in the recovery process."
It's impossible to say how long the attackers lingered in the company systems unless Shier can get a closer look, he said.
"Based on the areas compromised, the likelihood is longer than shorter, but that also depends on how widespread the ransomware malware was able to be distributed," Jon Clay, VP of threat intelligence at Trend Micro, said. "At this point, Sinclair is in the midst of their incident response process and are likely assessing how they can respond and get their production systems back online."
Television news is a highly sought after target of ransomware groups, as these types of organizations run a 24/7 business, Clay said. If an attacker can get into their production environment and impact broadcasts, the company is much more willing to pay a ransom in order to get its systems back up and running.
Sinclair said in the statement the attack was impacting the provision of its local advertisements by local broadcast stations on behalf of the company. The company is working to securely restore operations but cannot yet determine whether the attack will have a material impact on its business, operations or financial results.