Sinclair Broadcast Hack Linked to Notorious Russian Cybergang

(Bloomberg) -- A weekend cyberattack against Sinclair Broadcast Group Inc. was linked to one of the most infamous Russian cybergangs, called Evil Corp., according to two people familiar with the attack.

Most Read from Bloomberg

The Sinclair hackers used malware called Macaw, a variant of ransomware known as WastedLocker. Both Macaw and WastedLocker were created by Evil Corp., according to the two people, who requested anonymity to discuss confidential matters. Evil Corp. was sanctioned by the U.S. Treasury Department in 2019.

Since then, it has been accused by cybersecurity experts of rebranding in an attempt to avoid the sanctions. People in the U.S. are generally prohibited from engaging in transactions with sanctioned entities, including paying a ransom.

“Sinclair appears to have been hit by Macaw ransomware, a relatively new strain first reported in early October,” said Allan Liska, a senior threat analyst at the cybersecurity firm Recorded Future Inc. “There have not been any other Macaw victims publicly reported.”

A Sinclair representative didn’t immediately respond to a request for comment. Sinclair owns, operates and/or provides services to 185 television stations in 86 markets, according to its website.

The Macaw ransomware strain was first spotted by cybersecurity analysts in the past week, a person familiar with the research said.

Sinclair said in an earlier statement it began to investigative a potential cyberattack on Oct. 16, and the next day determined that certain servers and workstations were encrypted with ransomware.

Data was also taken from the company’s network, and Sinclair is trying to determine what was stolen, according to the statement. The company notified law enforcement and engaged legal counsel, a cybersecurity forensic firm and “other incident response professionals.”

“While the company is focused on actively managing this security event, the event has caused – and may continue to cause – disruption to parts of the company’s business, including certain aspects of its provision of local advertisements by its local broadcast stations on behalf of its customers,” according to the statement.

The Record, a publication by Recorded Future, said the attack took down Sinclair’s internal network, email services, phone services and the broadcasting systems of local TV stations. As a result, many channels weren’t able to broadcast morning shows, news segments and scheduled NFL games, the Record reported.

In July, Sinclair performed a companywide password reset for IT resources shared by local stations after what it described as a potentially serious network security issue, according to the Record.

The Biden administration has taken steps to crack down on ransomware attacks, which have surged in recent years against businesses, municipalities, schools and even hospitals. Some of the most serious attacks in recent months, including a ransomware attack on Colonial Pipeline Co., were tied to Russia-linked groups.

Most Read from Bloomberg Businessweek

©2021 Bloomberg L.P.