Sinclair Broadcast Group suffered a ransomware attack that caused massive network disruptions as well as a data breach.
One of the U.S.'s largest publicly traded media companies disclosed the incident Monday after discovering servers and workstations were encrypted with ransomware over the weekend. The investigation into a "potential security incident" started Saturday, but by Sunday it was clear that "certain office and operational networks were disrupted," according to the company's statement.
The Maryland-based company did confirm in a statement to its website, as well as an SEC filing Monday, that data was stolen, though the types and volume of data affected are unknown. Ransomware gangs have increasingly employed tactics of encrypting and stealing data in the hopes of further extorting victims into paying.
Sinclair has more than 4,000 employees according to its LinkedIn profile, but the potential impact of the data breach extends beyond the company's headcount. Founded in 1986, Sinclair operates at least 21 regional sports network brands, and provides services to 185 television stations in 86 markets. While the scope of the breach has yet to be determined, Sinclair said it is working to determine exactly what information the data contained.
That work included implementing an incident response plan with legal counsel and an unnamed cybersecurity forensic firm. In a statement to SearchSecurity, Sinclair said the firm has "assisted other companies in similar circumstances."
SearchSecurity asked the company for additional information about the incident, including the ransomware variant used in the attack and whether a ransom payment has been made. Sinclair did not comment.
In its statement, the company said it notified law enforcement and other governmental agencies. While an investigation has been launched, it appears fallout from the attack is ongoing.
"The event has caused -- and may continue to cause -- disruption to parts of the company's business, including certain aspects of its provision of local advertisements by its local broadcast stations on behalf of its customers," the statement said.
One of Sinclair's affiliates, Fox 17 WZTV, issued a statement on its website regarding how "system-wide network technical difficulties impacted its streaming abilities."
"We are also currently unable to access our email and your phone calls to the station," the statement said.
Similarly, WLOS 13 reporter Caitlyn Penter also took to Twitter Monday with email concerns.
FYI if you email me something I won’t see it. Please call https://t.co/EH2kyjCsSH— Caitlyn Penter (@CaitlynWLOS) October 18, 2021
"FYI if you email me something I won't see it. Please call," the tweet said.
The Sinclair-owned television station issued its own statement to WLOS 13 Twitter as well, addressing technical difficulties that viewers may have experienced.
"This is impacting our live streams and our website. We will share news updates, as we receive them, here on social media," the tweet read.
According to the Sinclair statement, the company cannot determine the material impact the attack will have on its businesses, operations or financial results. Ransomware attacks have been ramping up since 2020, and Emsisoft threat analyst Brett Callow said other major media companies, including Entercom Communications and Cox Media Group, have been hit in recent years as well as various newspapers. The timing of the attack also lines up with prior ransomware incidents.
"This is another high-profile attack that has occurred over a weekend -- something CISA warned about at the end of August," Callow said in an email to SearchSecurity.
CISA, as well as other governmental agencies including the FBI, have continually warned businesses about ransomware threats. In June, the White House issued its own directive specifically for businesses that included several recommendations and best practices on staying vigilant around ransomware.
It appears Sinclair will use this incident to analyze its security posture. "As the company conducts its investigation, it will look for opportunities to enhance its existing security measures," the Sinclair statement read.