On Thursday, The Weather Channel – a trusted cable network source of meteorological data across the U.S. – was knocked off the air by what it said was a “malicious software attack” on its network.
The Weather Channel hack – not to be confused with the Weather Channel’s own hacks – affected its live broadcast for about 90 minutes between 6 and 7:30 a.m., during which canned content was aired. The network resumed broadcasting from backup locations at that point.
The network quickly confirmed that the problem was an attack, not technical difficulties: “We experienced issues with today’s live broadcast following a malicious software attack on the network,” The Weather Channel posted on its Twitter feed. “We were able to restore live programming quickly through backup mechanisms.”
Star weatherman Jim Cantore also confirmed the hack on-air, noting, “The Weather Channel, sadly, has been the victim of a malicious software attack today.”
The general reaction from the populace has been largely, “who would hack the Weather Channel?” But the incident demonstrates that media companies are just as vulnerable to attackers as any other segment that has embraced modern technology. Increasingly, television content is delivered via IP video distribution networks and cloud-based media processing.
“Broadcasting has undergone a significant transformation in moving to information technology and internet protocol (IP)-based networks to distribute content,” said Mark Orlando, CTO of cyber-protection solutions at Raytheon Intelligence, Information and Services, in an emailed statement. “This means that its threat model has also changed – broadcast networks are now susceptible to many of the same threats that other IT-enabled enterprises routinely face, such as ransomware and other malicious code.”
While pirate broadcast signal intrusions at local TV stations, like the infamous Max Headroom incident in Chicago in 1987, are not unheard-of (the interruption of over-the-air signals is not a difficult undertaking, all things considered), the ante is upped when it comes to attacks of national cable channels.
Clearly, hacks like these have the potential to disrupt more than someone’s morning weather forecast. Retaliatory attacks against news organizations, protests and censorship efforts against certain content types, the hijacking of feeds to push out one’s own messages and even extortion efforts (every advertising block that goes unseen translates to potentially tens of thousands of dollars in revenue) are all potential motivations.
“Incidents like these demonstrate the reputational risk and potential public-safety issues introduced by cyber-attacks in the broadcasting sector, and we can draw some parallels to critical infrastructure protection in that the defensive strategy must evolve along with modernization efforts,” Orlando added.
Fortunately, incidents like these are also rare. The only other public example is a 2015 attack on French TV network TV5Monde, when it was taken off air and it networks severely damaged. A group calling itself the Cyber Caliphate, linked to so-called Islamic State, first claimed responsibility, but further investigation showed that the likely culprit was Russia’s APT28 (a.k.a. Fancy Bear, Sednit or PawnStorm). The attack ended up being the result of an infestation of highly targeted malware, carried out for political reasons.
Further details are scant (the Feds are investigating, according to the network), but some researchers are wondering if ransomware was to blame.
“At this time the details of the cyberattack have been limited though it appears to have impacted the company’s ability to broadcast live weather though backup systems enabled the company to restore some production systems,” said Joseph Carson, chief security scientist at Thycotic, via email. “It will be interesting to see if this attack is related to the most recent string of malicious malware impacting other global organizations such as the LockerGoga ransomware that impacted Norsk Hydro several weeks ago, causing more than over $40 million in damages so far. And still several systems are under manual control, a week following the incident.”
Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.