The hacking tool used in a ransomware attack that disrupted programming at Sinclair Broadcast Group is similar to malicious code previously used by a Russian crime group sanctioned by the US government, according to a security researcher who has viewed the ransom note.
The code also overlaps with previous hacking tools attributed to the Russian group, according to some analysts who have studied it.
The crime group, known as Evil Corp, is believed to be primarily motivated by money, and known for flaunting its ill-gotten wealth. US authorities have previously accused it of stealing $100 million from victims around the world in part by accessing the victims’ bank account login information.
Sinclair, which is the second largest operator of TV stations in the US, has been investigating the ransomware attack since Saturday. The disturbance impeded the production of local newscasts throughout the day on Sunday and again on Monday, Sinclair staffers previously told CNN Business. The company also said it was working to determine what information the hackers stole and that it had notified law enforcement and US government agencies about the attack.
Neither Sinclair nor US government agencies have named a culprit in the hack. A Sinclair spokesperson did not immediately respond to a request for comment.
The possible connection to Evil Corp, which Bloomberg News first reported, would mean Sinclair Broadcast Group had been in the crosshairs of a formidable foe.
Though Evil Corp is thought to be mostly interested in making money, the Treasury Department in 2019 slapped sanctions on alleged members of Evil Corp and accused the group’s leader of providing “direct assistance to the Russian government’s malicious cyber efforts.”
The sanctions generally prohibit organizations that are victimized by Evil Corp from paying the group a ransom to unlock their data. Amid a steady stream of ransomware attacks on US companies this year, the Biden administration has tried to discourage companies from paying ransoms out of concern that it only invites more attacks.