Apparent Cyberattack Disrupts Sinclair Programming

“We’re having some technical difficulties,” tweeted WJLA-TV Washington, D.C., news anchor Anna-Lysa Gayle Sunday. “The newscast will be a little untraditional tonight.” “We are not on the air this morning due to technical difficulties. We are working to fix them as soon as possible,” tweeted Theron Zahn, anchor with KOMO-TV Seattle, on Sunday morning. WJLA’s afternoon local news broadcast appeared to air normally Monday.

In the SEC disclosure, Sinclair said it identified “a potential security incident” Saturday and found Sunday that “certain office and operational networks were disrupted,” and some servers and workstations were encrypted with ransomware. “Data also was taken from the Company’s network,” the release said. Sinclair “is working to determine what information the data contained.”

Locking up data and disrupting systems that operate on a schedule -- such as systems used to deliver broadcast programming on time -- is standard in ransomware attacks, said Charlie Gero, Akamai Security Technologies Group chief technology officer, in an interview. “Time-driven companies frequently get targeted.”

The FCC “should be doing a lot more” on cybersecurity, said former Public Safety Bureau Chief and current Virginia Tech cybersecurity professor David Simpson. The FCC under both former Chairman Ajit Pai and current acting Chairwoman Jessica Rosenworcel have focused on supply chain security at the expense of issues such as ransomware, he said. Simpson said the agency should modify its outage reporting rules so incidents like Sinclair’s would have to be reported. Reporting of the outage was likely partially motivated by needing to disclose information to shareholders, but many broadcasters aren’t publicly held, he noted: Reporting would lead to more transparency and information sharing. The FCC didn't comment Monday.

Sinclair activated an incident response plan and contacted legal counsel, a cybersecurity forensic firm, and law enforcement agencies about the attack, the release said: The company “is working diligently to restore operations quickly and securely."

The actions identified in the release are part of the recommended course for companies in this situation, said Dinsmore attorney Matthew Diaz. He praised the company for having an incident response plan. Sinclair faces a long road, Diaz said. The company will have to determine what systems were affected, what data was breached, and whether that data contained personal or identifying information that requires disclosures.

Sinclair will likely also have to negotiate with the ransomware attacker, Diaz said. Due to Sinclair’s large size and the breadth of the attack’s effects, it's likely the attack specifically targeted it, said Gero, although he said he also wouldn’t be surprised if it turned out that “someone got lucky.” This “is not a vanilla attack,” said Internet Security Alliance President Larry Clinton.

Gero said Sinclair’s response is part of a growing trend of companies being more aware of cyberattacks. After the Colonial Pipeline attack and an executive order from the Biden administration, “there is board level visibility” of the cyberattack threat, Gero said. Cox Media Group was also affected by an apparent cyberattack over the summer (see 2106030063).

Federal handling of cyberattacks is insufficient, said Clinton. Very few cyberattacks end in prosecution, and some are the work of foreign governments, Clinton said. “Law enforcement has not been particularly effective.” As Sinclair does its investigation, it will “look for opportunities to enhance its existing security measures,” said the company.

“This is yet another unfortunate reminder that cybercrime is a serious threat, including to America’s telecommunications infrastructure,” emailed NAB Chief Technology Officer Sam Matheny. “NAB provides resources to help local radio and TV stations promote cyber-safety through training, education, information sharing and offering resources.”