Cyber Incident Victim: Townsquare Media

On or around July 1, 2023, Townsquare Media, a prominent American radio network and media company, became the victim of a cyber attack claimed by the ALPHV ransomware group. This collective, which has been known for its malicious activities since late 2021, publicly asserted that it had successfully gained unauthorized access to a significant quantity of the company's data. The threat actors added Townsquare Media to their list of victims and stated they were in possession of approximately 251 gigabytes of data. According to their claims, this data was explicitly sourced from the company’s servers and workstations and consisted of files that had been created within the past year. To substantiate their claim, the ALPHV group included nineteen attachments in their public post announcing the breach. This post was subsequently shared on Twitter by Falcon Feed, a threat intelligence service, which helped to bring wider attention to the alleged incident. Two images were included alongside the announcement, purportedly showcasing the sizable data trove the group claimed to have exfiltrated.

As part of their announcement, the ALPHV ransomware group issued an ultimatum to Townsquare Media. They demanded that the company establish contact with them within a week to resolve what they termed an alleged misunderstanding. The explicit threat behind this demand was the public release of the stolen data if the company failed to comply within the stipulated timeframe. This tactic is consistent with common ransomware group operations, where stolen data is used as leverage to extort a payment from the victim organization in exchange for its deletion and to prevent its publication on the group's dark web leak site. At the time the article was published, Townsquare Media had not yet provided an official response to the claims made by the threat actors, as The Cyber Express had reached out to the company but had not received a reply regarding the alleged breach.

This incident was not the first cybersecurity event to impact Townsquare Media. The company had previously experienced a significant cyber attack in 2019. That earlier attack was reported to have involved “crypto locker encryption malware” which was used to take down station operations. The 2019 attack targeted various Townsquare Media clusters across the United States, including those located in Shreveport, Louisiana; Boise, Idaho; Cedar Rapids, Iowa; and Portsmouth, New Hampshire. The impact on operations at the time was severe, particularly for the Shreveport cluster, which experienced significant difficulties. Specific technical systems, including automation triggers and imaging systems, were rendered non-functional, and the airing of commercials was adversely affected. Despite these challenges, some local shows managed to remain on the air by utilizing alternative music sources such as YouTube.

The parallel to a previous attack on another media entity, Radio One, was noted. Radio One's stations had been compromised in a late February incident in a previous year, which resulted in the internal systems of those stations being compromised. That attack necessitated weeks of recovery efforts and the complete rebuilding of file systems, indicating the potential for a similarly long and complex recovery process for Townsquare Media if the 2023 breach involved encryption or system destruction. The reoccurrence of a significant cyber incident at Townsquare Media highlights the persistent threats facing entities within the media and broadcasting industry.

The 2023 cyber attack occurred during a period when Townsquare Media was already under external scrutiny. The company was reportedly under investigation by WeissLaw LLP for “possible breaches of fiduciary duty and violations of federal securities laws” by the company’s Board of Directors. This ongoing legal inquiry added a layer of complexity to the situation, potentially exacerbating the consequences for the media company. A significant data breach could compound existing legal and financial challenges, affecting shareholder confidence and regulatory standing. The full implications of the data breach, in conjunction with the investigation, remained to be seen as the company had not yet issued public statements on either matter in relation to the other.

The ALPHV ransomware group, also known as BlackCat, has established itself as a formidable threat actor since its emergence. The group is known for employing a ransomware-as-a-service model and is recognized for its double-extortion tactics, where data is both encrypted and exfiltrated. The threat to publish the stolen data is a core component of their strategy to pressure victims into paying a ransom. The claim of possessing 251GB of data is a significant amount, suggesting a substantial compromise of Townsquare Media's digital infrastructure. The specific targeting of files created within the past year could indicate an intention to acquire the most current and potentially valuable information, including recent financial records, personnel data, proprietary content, or advertising agreements.

The public nature of the claim, made on the group's typical channels and amplified by third-party threat intelligence services, is designed to maximize pressure on the victim organization. By creating a public spectacle, the threat actors aim to provoke a quicker response from the company by engaging stakeholders, clients, and the media, thereby increasing the potential reputational damage. The inclusion of numerous attachments and images in their post is a method used to add credibility to their claims, demonstrating to other potential victims and the cybercriminal community that their attack was successful. This serves to enhance their reputation and intimidate future targets.

The impact on Townsquare Media's operations from the 2023 incident was not detailed in the immediate aftermath of the claim. However, based on the described effects of the 2019 attack, potential disruptions could include difficulties in broadcasting, issues with automated programming and commercial insertion, and challenges in accessing critical operational files. The need to investigate the breach, contain it, and begin recovery efforts would likely divert significant resources from normal business operations. Furthermore, if sensitive personal information of employees or listeners was contained within the exfiltrated data, the company could face additional regulatory obligations, potential legal action, and requirements to provide credit monitoring services to affected individuals.

The media industry, particularly radio broadcasting which relies heavily on digital automation and interconnected IT systems, presents a attractive target for ransomware groups. Disruptions to broadcasting can cause immediate financial harm through lost advertising revenue and breach contractual obligations with partners and affiliates. The sector often manages large amounts of data, including intellectual property, listener databases, and internal communications, which can be highly valuable if exposed. The incident underscores the ongoing cybersecurity challenges faced by media companies and the critical need for robust defensive measures to protect against increasingly sophisticated threat actors like the ALPHV ransomware group. The full scope and ultimate outcome of the Townsquare Media data breach remained uncertain pending an official investigation and statement from the company itself.