Last week Sinclair Broadcast Group, a US local TV and radio network, was hit by a ransomware attack which causes significant disruption to its regular broadcasts. The attack affective Sinclair stations’ ability to run local ad campaigns, to run on-screen graphics, and even to use internal communications tools, according to reports.
We’ve already seen several other ransomware attacks against broadcasters this year – fellow US operator Cox Media was hit in June, while Australia’s Nine Network was temporarily taken down by an attack on March.
Lisa Plaggemier, interim executive director at the National Cybersecurity Alliance, warns that for broadcasters, it’s a case of “when not if” they’ll be targeted by a ransomware attack. Plaggemier explained to VideoWeek how these attacks tend to unfold, and how broadcasters and media companies can best protect themselves.
We still don’t have the full details of the attack against Sinclair, but how does a ransomware attack like this usually unfold?
The most common way that these attacks actually start is with a good old-fashioned phishing email. Usually the perpetrators are cybercriminals and nation state actors – Russia, China, North Korea, and Iran are the biggest offenders in the world. Often the two work together, either by a government tacitly condoning, or actually coordinating with, cybercriminal organisations.
Once someone clicks on a phish, they might get a malware infection from the payload in the email. Or the email might have a malicious link, and once the user visits the linked website, they might click on something which downloads the ransomware.
What the ransomware then does is goes through the system and starts encrypting all sorts of data. The bad guys are the only ones with the encryption key, and they ask for payment in exchange for the key.
What happens next depends on the level of internal protection. In the worst case scenarios, where there are no backups for infected data, or the malware spread to backup data as well, you have to burn everything down and start again. You can’t clean ransomware off, there’s no antivirus which is going to remove it from your system.
In the best case scenario where you have great backups, you’ll go offline for a short period of time while you burn down everything that’s infected, and then switch to your backups and make sure you’ve got new backups. Then you can go online again.
How can broadcasters best prevent these attacks?
The phishing emails they’re sending out phishing aren’t super obvious anymore – they’re not like the old ‘Nigerian prince’ emails we’ve all seen before. These groups work with native English speakers, they’re using actual logos from real companies, and often they’re using compromised email boxes from real people. Obviously if it’s coming from a real email address, it looks incredibly legitimate.
And they’re often ‘spear phishing’ people, which means the email is crafted specifically for the person and role that’s being targeted. You could send a spear phish to someone in HR that’s crafted to look like it’s from a recruiter, and has an attachment called ‘resume.doc’.
So people have to be extra vigilant. There’s a lot of technology which catches and filters out a lot of these emails. But millions and millions of these emails hit company inboxes on a daily basis. It’s hard for the technology to be right 100 percent of the time. And if some emails get through the filters, it only takes one person to click on it for the hackers to get access.
That’s partly what our organisation is about – we educate people and give tips and advice for how to avoid clicking on these things.
So that’s one key prevention tactic, is being aware of how spear phishing works and what to look out for. The other is having data backups that are segmented from your network in a way that means the malware can’t reach them. There will still be disruption as your rebuild and roll out your backups, but the disruption will be minimised.
Were there specific lessons that can be learned from the Sinclair case?
One thing that was really interesting here was that we’ve seen reports that stations no longer owned by Sinclair were affected. Those stations have some legacy systems that were still connected to the Sinclair mothership in some way.
So there’s a big lesson for IT professionals at media companies in that – if you’ve cut the cord, you have to really cut the cord.
In cybersecurity we have a concept called technical debt, which is technical work that doesn’t get done for whatever reason – be it budget or time. In this case, there clearly wasn’t work done in completely separating systems from Sinclair. And technical debt is frequently where a lot of security vulnerabilities pop up, and those vulnerabilities have the ability to completely disrupt your business.
So that’s a big lesson – your basic housekeeping and hygiene is important. And honestly, if I’m a station and I’ve had disruption in my service because of a former business relationship with them, I’d be scratching my head and asking how that happened!
There have quite a few high profile ransomware attacks against broadcasters in the past few years. Do you think broadcasters are increasingly being targeted, and if so, what’s driving this increase?
There absolutely has been an increase. If you put attacks like this together with the Russian misinformation and disinformation campaigns, media outlets, including social media, are being targeted at an insane rate.
Ransomware attacks in general have had a 50 percent increase over the first six months of this year, so it’s definitely on the rise. And the latest estimate I saw is that ransomware attacks are going to cost the global economy $20 billion this year. So it’s a huge tax on on the global economy, but frankly it’s also a threat to democracy.
Businesses and broadcaster need to treat this as a ‘when’, not an ‘if’. And they can prepare for attacks, but that involves getting your leadership management and your technology people around the same table. One common problem we see is there’s a disconnect between IT and security professionals and the general leadership – they’re speaking two different languages.
So it’s important to get everyone around the table to talk about these issues, and do a good old-fashioned risk assessment like you would for any other part of your business. We suggest something called a tabletop exercise where your practice having an actual ransomware attack. That will expose any weaknesses in your business’s resiliency or disaster recovery plans. And it allows you to have corporate communications ready for if an attack happens. That’s something Sinclair will have done, because they were able to issue a statement really quickly.
You can also make the policy decision in advance over whether or not you want to be the kind of company that gives money to cybercriminals. And if you decide that you won’t ever pay ransom, then you can start asking what you have to do to be prepared, so that you don’t have to pay.
Whether or not to pay is literally a moral question that companies should be answering in advance. And once you’ve made that decision, you can look at appropriate measures like ransomware insurance.
Broadcasters potentially give hackers the ability to distribute information to a large audience. Do you think this is a factor, and will we see cases in the future where hackers target broadcasters with the primary purpose of distributing misinformation?
We’ve seen cases in other industries where hackers have taken over a company’s website and then used it to publish their own message. So I don’t think it’s that farfetched to assume that they would do the same thing with a broadcaster or mainstream publisher.
Unfortunately, with the way they’ve manipulated social media for spreading misinformation and disinformation, they haven’t needed to hack social media companies to be able to propagate their message. I know the social media companies do a to try and mitigate that, but it’s still happening.
So I think we just have to look at the problem as a whole. If you’re a business leader looking at this and thinking ‘this won’t happen to me’ – I think you need to look at the global dynamics right now: how prevalent these attacks, and the kinds of resources adversaries are using.
I’ve heard estimates before that there are 200,000 people in the Chinese cyber army hacking away at the rest of the world all day, particularly at Western democracies. So I think if you’re not prepared or working to prepare at this at this point, then you really need to catch up. Unfortunately, this isn’t going away any time soon.
What’s best practice for a broadcaster if they have been hit by a ransomware attack?
You have to rely on your IT professionals in-house to tell you what’s what’s still safe to do. Only your internal IT folks are going to be able to tell what’s safe and what’s not, as they work to contain and mitigate the attack.
Transparency and speed is really important. And you’re going to want to take the advice of the law enforcement that you’re working with, so make sure you’re not doing anything that hampers their investigation from a communications perspective. And then obviously you’ll have a public affairs or a PR firm that will handle crisis communications and will help you get through it.
But I really think people shouldn’t be afraid of being transparent. The general public is increasingly aware that nobody is above this happening to them. And a part of good crisis communications is messaging an attack in a way that gains empathy for the victims, rather than letting any sort of victim shaming happen.