Sinclair TV stations crippled by weekend ransomware attack

Image: ThisisEngineering RAEng

Update October 18, 09:00 EST: Sinclair Broadcast Group has confirmed that it was hit by a ransomware attack over the weekend [press release, SEC filing]. Sinclair also said attackers have also stolen data from the company's network.

On October 16, 2021, the Company identified and began to investigate and take steps to contain a potential security incident. On October 17, 2021, the Company identified that certain servers and workstations in its environment were encrypted with ransomware, and that certain office and operational networks were disrupted. Data also was taken from the Company’s network. The Company is working to determine what information the data contained and will take other actions as appropriate based on its review.

Promptly upon detection of the security event, senior management was notified, and the Company implemented its incident response plan, took measures to contain the incident, and launched an investigation. Legal counsel, a cybersecurity forensic firm, and other incident response professionals were engaged. The Company also notified law enforcement and other governmental agencies. The forensic investigation remains ongoing.

While the Company is focused on actively managing this security event, the event has caused – and may continue to cause – disruption to parts of the Company’s business, including certain aspects of its provision of local advertisements by its local broadcast stations on behalf of its customers. The Company is working diligently to restore operations quickly and securely.

As the Company is in the early stages of its investigation and assessment of the security event, the Company cannot determine at this time whether or not such event will have a material impact on its business, operations or financial results.

As the Company conducts its investigation, it will look for opportunities to enhance its existing security measures.

---

TV stations owned by the Sinclair Broadcast Group broadcast television company went down over the weekend across the US, with multiple sources telling BleepingComputer a ransomware attack caused the downtime.

Sinclair Broadcast Group is a Fortune 500 media company (with annual revenues of $5.9 billion in 2020) and a leading local sports and news provider that owns multiple national networks.

Its operations include 185 television stations affiliated with Fox, ABC, CBS, NBC, and The CW (including 21 regional sports network brands), with approximately 620 channels in 87 markets across the US (amounting to almost 40% of all US households).

This is the second incident that impacted Sinclair's TV stations in July 2021, when the company asked all Sinclair stations to change passwords "as quickly as possible" following a security breach.

Ransomware attack likely behind TV stations going down

Sources have told BleepingComputer that a ransomware attack caused these significant technical issues. The attackers have been able to impact many TV stations via Sinclair's corporate Active Directory domain.

BleepingComputer was also told that they shut down Active Directory services for the domain, leading to wide disruption throughout the entire organization and affiliates by blocking access to domain resources across the network

Several corporate assets were taken down in the incident, including the email servers, broadcasting, and newsroom systems, forcing TV stations to create Gmail accounts to receive news tips from viewers and use PowerPoint for newscasts graphics.

Still a no go! #technology #technicaldifficulties pic.twitter.com/Lw4sAVTX2X

— Heather Kovar (@CBS6Heather) October 17, 2021

While regional sports channels were largely not affected by the incident, there are reports that, in some US markets, local NFL games were replaced by national sports programming (such as bowling).

Because of the ongoing issues, some stations were also forced to switch to live Facebook streams instead of their regular newscasts, while others were forced to delay evening newscasts altogether [1, 2].

Still dealing with technical difficulties at @CBS6Albany …. Our 11pm newscast (which is starting late after football) will be unconventional. We’re working with handwritten notes, and it’s going to be a bit more conversational. Tune in, and thanks for bearing with us! pic.twitter.com/D620UCD72F

— Leanne DeRosa (@CBS6Leanne) October 18, 2021

Sinclair TV stations slowly recovering

Since reports of Sinclair TV stations going down began coming in, as first reported by The Record, some of them have managed to start broadcasting again. However, it's evident that the incident severely impacted them.

For instance, a source told BleepingComputer that, even though KABB is back up, they have issues with weather graphics.

WCHS is also up, with news stories from Fox NewsEdge being streamed straight out of a browser window in fullscreen, with WPGH and KOKH also having problems displaying their standard graphics

Others, like WBSF and WCWN, are now broadcasting different programming, switching from CW programming to "Charge!" subchannels.

A handful seems to have been more severely affected, such as WPFO, which did a half-hour newscast instead of the usual full hour, and WTAT and WRGB, who had to cancel their newscasts altogether.

A Sinclair spokesperson told BleepingComputer they company was the target of a ransomware attack after the story was published:

Sinclair Broadcast Group recently identified a cybersecurity incident involving our network. As a result of the incident, certain devices were encrypted with ransomware, data was taken from our environment, and certain business operations have been disrupted. Senior management was notified, and we implemented our incident response and business continuity protocols, took measures to contain the incident, and launched an investigation. A cybersecurity firm that has assisted other companies in similar circumstances was engaged, and law enforcement and other governmental agencies were notified.

We are working diligently to address the incident and to restore operations quickly and securely. As we work to complete the investigation, we will look for opportunities to enhance our existing security measures. We appreciate your patience and understanding as we work through this incident.