Sinclair Broadcast Hit with Ransomware Attack, Data Stolen from Network

Sinclair Broadcast Group, the second-largest TV station operator in the United States, was hit with a ransomware attack this past weekend.

In the attack, servers and workstations in Sinclair’s environment were encrypted with ransomware, and office and operational networks were disrupted. The attackers also took data from the company’s network.

Sinclair says it’s working to determine what information the data contained. In addition, it will take other actions as appropriate based on its review.

Upon discovering the attack, Sinclair notified senior management and implemented its incident response plan. Moreover, it took measures to contain the incident and launched an investigation.

“Legal counsel, a cybersecurity forensic firm, and other incident response professionals were engaged,” it said. “The company also notified law enforcement and other governmental agencies. The forensic investigation remains ongoing.”

More Disruption Possible

The Sinclair ransomware attack has caused and may continue to cause disruption to parts of the company’s business. That could include an impact on local advertisements run by local broadcast stations.

“As the company is in the early stages of its investigation and assessment of the security event, the company cannot determine at this time whether or not such event will have a material impact on its business, operations or financial results,” it said.

Sinclair owns 185 television stations in 86 markets, according to its website.

Taking Advantage of Soft Targets

Ron Bradley is vice president of Shared Assessments. This is how he summed up the Sinclair ransomware attack: “Why hunt for moose when you have thousands of rabbits running around?”

“The reality of Sinclair TV stations being disrupted is just another example of threat actors taking advantage of soft targets,” he said.

Generally speaking, hackers aren’t holding big banks hostage with ransomware attacks, Bradley said. That’s because they have taken precautions to secure their perimeters. They’ve minimized their blast radius and controlled internal lateral movement.

“The sad part of the story is, many small and medium size businesses (aka bunny rabbits) don’t have the wherewithal, both financially and technologically, to protect their assets,” he said. “It simply has not been part of their program. This is what makes them a soft target.”

Federal Response Likely

Sam Curry is Cybereason‘s chief security officer. He said if the hackers are identified, the U.S. government will likely respond if broadcasting networks are taken offline.

Cybereason’s Sam Curry

“After all, we witnessed a swift and decisive response earlier this year after the Colonial Pipeline and JBS Foods ransomware attacks caused disruptions to gasoline deliveries on the East Coast and nationwide food disruptions,” he said. “If we have learned anything from the deluge of ransomware attacks in 2021, the public and private sector need to invest now to ratchet up prevention, detection and improve resilience.”

Garret Grajek is CEO of YouAttest, a cloud-based identity governance and administration (IGA) provider.

“Penetration of all our key systems, water, energy, transportation and media is a grave concern for western countries,” he said. “The fact that a major media outlet like Sinclair was affected shows how vulnerable even those with security resources are to cyberattacks.”

YouAttest’s Garret Grajek

Sinclair conducted a enterprise-wide password reset, Grajek said. That implies they may feel it was a compromised credential that caused the attack.

Least Privilege Needed

Enterprises need to go beyond just password resets and even two-factor authentication (2FA), and start understanding the scope and capabilities of all the identities in their enterprises, Grajek said.

Businesses must practice the principle of least privilege, he said. That limits access to resources that could be impacted in an attack, he said.

Hackers easily guess and steal user accounts, Grajek said. They then conduct lateral movement across the enterprise and privilege escalation to obtain access to valued resources.

Enterprises must know the rights granted and triggered when privileges are modified, he said.