Sinclair Workers Say TV Channels Are in ‘Pandemonium’ After Ransomware Attack

In the early hours of Sunday morning, hackers took down the corporate servers and systems of Sinclair Broadcast Group, a giant U.S. TV conglomerate that owns or operates more than 600 channels across the country. 

Days later, inside the company, “it's pandemonium and chaos,” as one current employee, who asked to remain anonymous as they were not authorized to speak to the press, told Motherboard. 

Sinclair calls itself “the largest and most diversified television broadcasting company in the country,” but it has a controversial reputation. In the last few years, the company has aggressively tried to expand its already vast empire with an attempted—and failed—acquisition of Tribune Media. Critics have also criticized it for using so-called "must-run" segments to push local news stations around the country to run identical, conservative-leaning packages.

The company is now in the headlines for being the latest in a seemingly endless list of ransomware victims. Sinclair has released very few details about the attack since it was hacked Sunday. On Wednesday, Bloomberg reported that the group behind the attack is the infamous Evil Corp., a ransomware gang that is believed to be based in Russia and which was sanctioned by the U.S. Treasury department in 2019.  

The ransomware attack interfered with several channels’ broadcast programming, preventing them from airing ads or NFL games, as reported by The Record, a news site owned by cybersecurity firm Recorded Future. It has also left employees confused and wondering what's going on, according to current Sinclair workers.

“Whoever did this, they either by accident or by design did a very good job,” a current employee said in a phone call, explaining that there are some channels that haven’t been able to air commercials since Sunday. “We're really running in the blind [...] you really can't do your job.” 

The employee said that he was working on Sunday and was able to get two emails out to colleagues. “And one of them got it, and the other one didn’t,” they said.  

Employees did not have access to their emails until Tuesday morning, according to the two employees and text messages seen by Motherboard. The office computers, however, are still locked by the company out of precaution, and Sinclair told employees not to log into their corporate VPN, which they usually used to do their jobs. 

Until Thursday, the company was communicating with employees via text, according to the sources, who shared some of the texts sent by the company. In one of them, they called for an all hands meeting. The meeting, according to the two current employees, was quick and vague. 

Both sources said that the company should be more transparent with its own employees.

“We don't know if the payment portal was breached. We don't know if our information was breached, we know what things were breached,” one of the employees said. “But they're just not telling us, and they probably won't tell us for the time being.”

A Sinclair spokesperson declined to answer a series of detailed questions based on what the current employees said. Instead, the spokesperson sent the following statement: “Sinclair Broadcast Group continues to work diligently to restore the business operations that were disrupted by the recent cybersecurity incident. We are bringing the systems involved back online quickly and securely, and in a way that prioritizes critical business operations. All of our stations and Regional Sports Networks (RSNs) are currently on the air and broadcasting. While we are still working to return to our complete regular programming schedule and to resolve all programming issues that may arise, network and major sports programming has aired as scheduled, a large portion of other programming has and is airing as scheduled, and all our news stations are providing news programming to our viewers. Our teams are continuing to work around the clock to address this situation, and we appreciate our colleagues’ and viewers’ patience and support.”

The other current employee said that the stations he works on are not airing any commercials at all. 

“There is no work right now. Nothing works,” he said. 

Both employees said they were frustrated and worried that perhaps the hackers got their hands on sensitive personal data. One of them also complained that Sinclair let this happen.

“Did you not have a plan? Did you not think this was a possibility? I mean, that's what would be an interesting story, except me to tell you, they probably didn't. And how, how can you not in 2021, how could you not have a plan?” he said. “For us employees this is karma. Karma for the company.”

Subscribe to our new cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.