Iranian hackers were behind the ransomware attack that damaged Cox radio and TV stations’ IT systems and live broadcasts earlier this year. DEV-0270, a threat actor, carried out the attack. This actor has been linked to many incursions into US organizations this year that resulted in the ransomware deployment.
While the Cox Media Group’s infiltration was discovered on June 3 when the attackers used ransomware to encrypt certain internal servers, the group had been breaching and hiding inside the company’s internal network since mid-May. The attack did not affect all Cox Media Group radio and television stations, but it disabled certain stations’ ability to transmit live feeds on their websites.
Initially, the Cox Media Group attempted to downplay the incident. Local reporters who used Twitter to convey data about the ransomware attack were chastised and forced to erase their tweets. However, the corporation finally confirmed the incident in October without disclosing any specifics about the Iranian hackers.
The discovery that Iranian hackers were behind the Cox attack comes less than a month after the US Department of Justice prosecuted two Iranian citizens with various hacking-related offenses in November. One of them was for hacking a US media firm to distribute false information about the legality of the US 2020 Presidential election via its website. Lee Enterprises, which owns the Buffalo News, the Arizona Daily Star, and the Omaha World-Herald, was eventually confirmed as the corporation.
As per a Microsoft threat intelligence analysis on the organization, DEV-0270 has previously engaged in information gathering operations and financially driven attacks obscuring the actual reason behind the current Cox ransomware attack. The strategy of delivering ransomware on the networks of major corporations was first detected in late 2016 by Iranian hackers, namely the SamSam gang.
Their strategy of focusing on large businesses rather than end-users was later adopted by most ransomware threat actors and is now known as “big-game hunting.” Since then, most ransomware attacks have been traced to Russian-based groups; however, certain ransomware cases have also been linked to members of state-sponsored espionage groups operating in Iran, China, and North Korea in recent years.
These organizations used ransomware to monetize stolen firms with no intelligence-gathering value or to disguise intelligence collection behind a more general ransomware issue that wouldn’t elicit a more in-depth examination. Cox Media Group spokespersons did not respond to inquiries on the incursion in May and June.