Major Russian hacking group linked to ransomware attack on Sinclair: report

A well-known Russian hacking group previously sanctioned by the United States is behind the crippling ransomware attack on Sinclair Broadcast Group that is continuing to impact news stations across the country, according to a new report.

Bloomberg News cited multiple people “familiar with the attack” in reporting that a group known as Evil Corp. was behind the ransomware attack, which occurred late last week and was disclosed by Sinclair both to the Securities and Exchange Commission and to the public on Monday. 

According to Bloomberg, the hackers used a malware virus known as Macaw to attack Sinclair. The company confirmed that data had been stolen in the attack, but that it was still working to determine exactly what data was stolen.

The Hill has reached out to Sinclair for comment. 

The ransomware attack has wreaked havoc on Sinclair-owned and -operated news stations this week. Sinclair is the second-largest U.S. television station operator, owning or operating around 185 stations. 

Sinclair noted Monday that the attack had caused “disruption” to portions of the company, including the provision of local advertisements, stressing that it was “working diligently to restore operations quickly and securely” and that it had engaged the help of an unnamed cybersecurity firm in doing so. 

CNN reported Monday that some TV stations had trouble accessing graphics, phones and video files and that some live segments were being pre-taped. 

Evil Corp. was the target of a multiagency effort in 2019 after it was accused of using its Dridex malware to steal more than $100 million from hundreds of banks and financial entities in over 40 countries. 

As part of that effort, the Treasury Department issued sanctions against 17 individuals and and seven entities associated with Evil Corp., while the State Department offered a reward of up to $5 million for information that could help capture and convict the group’s leader, Maksim Yakubets. The Justice Department also unsealed an indictment against Yakubets.

“Our goal is to shut down Evil Corp, deter the distribution of Dridex, target the ‘money mule’ network used to transfer stolen funds, and ultimately to protect our citizens from the group’s criminal activities,” former Treasury Secretary Steven Mnuchin said in a statement at the time.

Evil Corp. is one of multiple Russian-linked hacking groups that has grabbed the spotlight in recent months. 

The REvil cybercriminal group was linked to both the ransomware attack in May on meat producer JBS USA and to the July attack on IT group Kaseya, which impacted up to 1,500 other companies. Websites used by REvil went dark in the weeks following the Kaseya attack, ahead of a planned law enforcement operation against the group. 

The DarkSide group, also believed to be based in Russia, was linked to the ransomware attack on Colonial Pipeline in May that led to fuel shortages in several states, which also went offline following the incident. 

A coalition of federal agencies earlier this week put out an alert warning that the BlackMatter ransomware group targeting agricultural groups is “a possible rebrand of DarkSide.”

The Biden administration has taken steps to attempt to curtail Russian-linked malicious cyber activity, including with President Biden urging Russian President Vladimir Putin to crack down on cybercriminal groups operating in Russia during an in-person meeting in June.