Dish Network is still trying to recover from a widespread outage it now attributes to a cyberattack in which personal information was likely stolen by the malicious hacker(s).

In a U.S. Securities and Exchange Commission (SEC) filing, Dish said the network outage affected internal servers and IT telephony. It also said the threat actor(s) extracted certain data from its IT systems.

“It is possible the investigation will reveal that the extracted data includes personal information,” it said. “The forensic investigation and assessment of the impact of this incident is ongoing. Dish, Sling and our wireless and data networks remain operational. However, the corporation’s internal communications, customer call centers and internet sites have been affected.”

Dish said it’s working to restore affected systems and making steady progress.

According to the Wall Street Journal, Dish was the worst performer in the S&P 500 Monday afternoon, with its shares down more than 6% as the outage continues.

Dish Attack a ‘Testament’ to the Weapons Used

Bud Broomhead is CEO of Viakoo, a provider of automated IoT cyber hygiene. He said attacks of this nature where both employees and customers are impacted highlights the need to build in resiliency and enforce network segmentation.

Viakoo’s Bud Broomhead

“That threat actors gained access to a system is one thing,” he said. “But for them to gain near-total control is another. That the attackers got this far is both a testament to the weapons they were using and also to the weakness of the defenses.”

Assuming the worst, threat actors likely have exfiltrated customer and corporate data, and remain on the network in some form, Broomhead said.

Potentially, this could be a test or mechanism for threat actors to gain control of broadcasting, he said. An example would be shutting down access to media in times of crisis.

“Ensuring that Dish’s systems are resilient to future attacks should be a priority in recovering from this episode, Broomhead said.

In retrospect, organizations could avoid almost all cyberattacks, he said.

“It comes down to how prepared an organization is across all potential attack surfaces and if their defenses are working as they should,” Broomhead said. “For example, are IoT/OT assets being protected at the same level as IT assets? And if not, are the network defenses strong enough to prevent a breach through IP cameras from transversing the network to control other systems (such as customer accounts or corporate data)?”

Dish Outage Likely Easier Due to Legacy Network Access Technologies

Alex Hoff is founder and chief product officer at Auvik Networks, a provider of cloud-based network management software.

Auvik’s Alex Hoff

“The outages Dish is experiencing does appear to be as a result of ransomware,” he said. “Ransomware spreads by exploiting vulnerabilities in unpatched software on machines, and then spreading across the corporate network. If the leaked memo is accurate and employees are being told not to log in to their VPN, this is one way Dish is attempting to protect its remote employees and curtail the spread of the ransomware.”

Companies must embrace a modern, zero-trust mindset for network access, Hoff said. That includes verifying the identity of the user, the machine, the network and the cloud. That way, the ransomware’s blast radius can be limited.

Dish Likely Could Have Thwarted Attack

Mike Parkin is senior technical engineer at Vulcan Cyber. He said a ransomware infection has likely taken hold in Dish’s environment. And it’s gotten somewhat out of control.

Vulcan Cyber’s Mike Parkin

“Besides the obvious inconvenience of losing access to their streaming media, it’s possible the threat actors are trying to gain – or have gained – access to Dish Network’s customer database with the personal and financial information it contains,” he said. “Hopefully, that’s not the case.”

The reported symptoms sound like a ransomware attack, Parkin said.

“Without knowing how it happened, it’s impossible to say whether it could have been avoided,” he said. “But the answer to that question is generally ‘yes.’ Whether the attack vector was [a] phishing attack against the user base, or a technical attack against one of the systems, it’s rare to find instances where something couldn’t have been done to thwart the attack before it started. It also seems like this attack spread across the environment and affected multiple systems, which indicates some internal weakness. Whether the failure was in detection, prevention or risk management is impossible to say without more data.”