Cyber Incident Victim: Sunny 107.9 WFBS-LPFM
Date:
Jan 2017
Location:
United States of America
Summary
A radio station in South Carolina and multiple other U.S. broadcasters were hijacked via unsecured Barix streaming devices, causing unauthorized playback of an explicit anti-Trump song on loop. The attackers exploited devices lacking password protection, leveraging IP-based access to override regular programming—a method similar to prior incidents where hackers used Shodan search engine to target vulnerable equipment. Impacts included prolonged disruptions across affected stations, with some confirming international origin IP addresses involved. The incident mirrored an earlier botnet attack that hijacked stations to broadcast unrelated content, highlighting recurring security gaps in broadcast infrastructure. Additional unverified reports suggested broader geographic targeting, while one station proactively shared captured attacker data with regulators.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 20, 2017, multiple U.S. radio stations experienced unauthorized signal hijackings beginning around 2:00 PM Eastern Time. Attackers compromised broadcast equipment to replace regular programming with a continuous loop of YG & Nipsey Hussle's explicit protest song "F*** Donald Trump." Confirmed affected stations included Radio 810 Nashville's "El Jefe 96.7" WMGC/W244CW in Murfreesboro, Tennessee; Crescent Hill Radio's WCHQ-LP (100.9 FM) in Louisville, Kentucky; and Sunday Morning Glory Radio's KCGF-LP (100.5 FM) in San Angelo, Texas. Unverified reports indicated additional compromises in California, Indiana, and Washington State. The hijacking persisted for varying durations across stations, with San Angelo's KCGF-LP broadcasting the unauthorized content for an unspecified period captured in a local aircheck.
Technical analysis revealed the attacks exploited unsecured Barix Exstreamer devices used for station audio transmission. As with a similar April 2016 incident where hackers used Shodan search engine to locate vulnerable Barix STL devices and broadcast furry-themed content, the 2017 attackers targeted internet-connected devices without password protection. Lake Keowee Broadcasting Group's "Sunny 105.9" WFBS-LP in Salem, South Carolina, was compromised on January 23, 2023, when hackers activated the anti-Trump loop around 10:00 PM. Station President Frank Patterson identified and reported the attacking IP address—later determined to be of international origin—to the Federal Communications Commission. Multiple station operators confirmed neglecting to implement password authentication on their Barix devices prior to the incident, with WCHQ-LP President Kathy Weisbach acknowledging this critical security oversight. Concurrently, an unlicensed Seattle-area station (101.9 FM, tentatively identified as KQES-LP Bellevue) broadcast the song on loop for nearly a week, though this entity lacked FCC authorization and hadn't filed required operational documentation. The hijackings prompted immediate corrective actions, including password implementation on vulnerable devices and dissemination of security protocols by industry groups like the Michigan Association of Broadcasters.