The hacking tool used in a ransomware attack that disrupted programming at Sinclair Broadcast Group is similar to malicious code previously used by a Russian crime group sanctioned by the US government, according to a security researcher who has viewed the ransom note.
The code also overlaps with previous hacking tools attributed to the Russian group, according to some analysts who have studied it.
The crime group, known as Evil Corp, is believed to be primarily motivated by money, and known for flaunting its ill-gotten wealth. US authorities have previously accused it of stealing $100 million from victims around the world in part by accessing the victims’ bank account login information.
“According to someone that I have been in direct contact with, who is part of the recovery team at Sinclair, the company was hit with Macaw ransomware, which appears to be a new ransomware from Evil Corp,” Allan Liska, senior intelligence analyst at cybersecurity firm Recorded Future, told CNN Business.
Sinclair, which is the second largest operator of TV stations in the US, has been investigating the ransomware attack since Saturday. The disturbance impeded the production of local newscasts throughout the day on Sunday and again on Monday, Sinclair staffers previously told CNN Business. The company also said it was working to determine what information the hackers stole and that it had notified law enforcement and US government agencies about the attack.
Neither Sinclair nor US government agencies have named a culprit in the hack. Sinclair declined to address the potential role of Evil Corp in the ransomware attack, citing an ongoing investigation into the incident.
“Our focus remains on continuing to work closely with a third-party cybersecurity firm, other incident response professionals, law enforcement and governmental agencies as part of our investigation and response to this incident,” Sinclair said in a statement Thursday.
The company also said it is making progress in returning to regular business operations.
“While we are still working to return to our complete regular programming schedule and to resolve all programming issues that may arise, network and major sports programming has aired as scheduled, a large portion of other programming has and is airing as scheduled, and all our news stations are providing news programming to our viewers,” Sinclair said.
The possible connection to Evil Corp, which Bloomberg News first reported, would mean Sinclair Broadcast Group had been in the crosshairs of a formidable foe.
Though Evil Corp is thought to be mostly interested in making money, the Treasury Department in 2019 slapped sanctions on alleged members of Evil Corp and accused the group’s leader of providing “direct assistance to the Russian government’s malicious cyber efforts.”
The sanctions generally prohibit organizations that are victimized by Evil Corp from paying the group a ransom to unlock their data. Amid a steady stream of ransomware attacks on US companies this year, the Biden administration has tried to discourage companies from paying ransoms out of concern that it only invites more attacks.