U.S. second-largest satellite TV provider Dish Network confirmed that the ongoing service outages resulted from a ransomware attack discovered on February 27, 2023.
Dish had initially informed its employees that “large VPN issues” were to blame for the outages, urging them not to contact IT since nobody had access.
However, in an 8-K filing with the U.S. Securities and Exchange Commission on February 28, 2023, the satellite TV provider determined that a “cyber-security incident” caused the widespread service disruptions.
According to last week’s Q4 2022 financial report where the network disruption was also announced, Dish Network has 9.75 million DISH TV (7.42 m) and Sling TV (2.33 m) subscribers.
Satellite TV provider Dish Network is still recovering from a ransomware attack
On its website, Dish said it was “experiencing a system issue that our teams are working hard to resolve,” adding that customers were “having trouble reaching our service desks, accessing their accounts, and making payments” in a separate customer incident notice.
In its 8-K SEC filing, Dish disclosed that the outages resulted from a ransomware attack, which it said, disrupted operations, internet sites, and call centers, sending its corporate communication systems offline. However, the satellite TV provider said DISH TV, Sling TV, and wireless and data services remained operational.
“Dish, Sling, and our wireless and data networks remain operational; however, the Corporation’s internal communications, customer call centers and internet sites have been affected,” Dish wrote.
The ransomware attack, however, impacted Dish Anywhere and Boost Mobile apps, with customers reporting continued outages and payment problems by Sunday, March 5, 2023.
Subsequently, the Englewood, Colorado-based satellite TV provider promised to review late fees for customers unable to complete payment once it resolved the cyber incident.
Although Dish did not expressly describe the incident as a ransomware attack, the SEC filing stated that it was related “to the Corporation’s expectations regarding its ability to contain, assess and remediate the ransomware attack and the impact of the ransomware attack on the Corporation’s employees, customers, business, operations or financial results.”
Responding to the ransomware attack, the satellite TV provider said it activated its incident response, hired external cyber forensics experts, and notified relevant law enforcement authorities.
Additionally, Dish warned that threat actors had potentially extracted data from its corporate IT systems. While an investigation was ongoing, the satellite TV provider anticipated that the stolen data would likely include unspecified personal information.
“It is possible the investigation will reveal that the extracted data includes personal information,” Dish said.
“The Dish Network cyberattack is another example of cyber criminals looking to steal personal information,” said Darren James, Senior Product Manager at Specops Software. “While the details and scope of the attack are still being investigated, it has had a devastating effect on the stock price and company reputation.”
On Tuesday morning, Dish shares fell by 6%, the lowest since 2009, while the company also lost 268,000 DISH TV and SLING TV subscribers and 24,000 wireless customers, according to last week’s Q4 2022 financial report.
Black Basta ransomware gang suspected to be responsible
Meanwhile, Dish withheld the hacker’s identity, described as a “known threat agent” in a leaked memo, and the company did not disclose whether it had received any ransom demands.
However, anonymous sources also told Bleeping Computer that the Black Basta gang was responsible for the ransomware attack, “first breaching Boost Mobile and then the Dish corporate network.”
According to the technology website, attackers first compromised the company’s Windows domain controllers before encrypting VMware ESXi servers and data backups.
First detected in April 2022, the Black Basta ransomware gang is a ransomware-as-a-service (RaaS) operation that deploys the QakBot trojan and operates on the double extortion policy. In June 2022, researchers discovered Black Basta’s ransomware build that could encrypt VMware ESXi virtual machines.
However, Bleeping Computer could not independently confirm whether the gang was responsible for the Dish ransomware attack.
“The outages Dish is experiencing does appear to be as a result of ransomware. Ransomware spreads by exploiting vulnerabilities in unpatched software on machines, and then spreading across the corporate network. If the leaked memo is accurate and employees are being told not to log in to their VPN, this is one way Dish is attempting to protect its remote employees and curtail the spread of the ransomware,” noted Alex Hoff, co-founder and CPO of Auvik Networks.
Rebecca Moody, head of data research at Comparitech, noted a shift in ransomware attacks targeting companies with a lot of data.
“Already this year we have noted six major ransomware attacks on utility providers through our worldwide ransomware tracker,” said Moody. “Ransomware attacks on such organizations can have a huge impact, as we are seeing with Dish’s multi-day outage and South Africa’s RSAWeb which had to shut down its telecommunication systems for a week.”
