Cyber Incident Victim: Sociedad Española de Radiodifusión
Date:
Nov 2019
Location:
Spain
Summary
A ransomware attack targeted Sociedad Española de Radiodifusión (Cadena SER) and an IT services subsidiary, causing widespread network shutdowns and operational disruptions. The incident prompted precautionary disconnections by other organizations, including a major airport operator, due to potential supply chain risks. Security researchers identified the malware as a BitPaymer variant associated with the Dridex group, consistent with recent campaigns exploiting service providers to infiltrate client networks. The radio network maintained broadcasts from its central facility while disconnecting all operating systems and collaborating with national cybersecurity authorities to restore local station infrastructure. The attack induced significant operational paralysis, with one affected company describing internal chaos as technicians worked to mitigate the impact.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 4, 2019, a targeted ransomware attack disrupted operations at multiple Spanish organizations, including IT services firm Everis (a subsidiary of Japan’s NTT) and radio broadcaster Sociedad Española de Radiodifusión (Cadena SER). The attack forced Everis and SER to shut down their networks, with a technician describing the environment as "in hysteria mode." Spanish airport operator Aena preemptively disabled some services due to Everis’ on-site presence at numerous corporations, though no additional entities publicly confirmed direct compromise. Spain’s Department of National Security (DSN) acknowledged the incident at SER, stating the broadcaster disconnected all operating computer systems following established cyberattack protocols. SER maintained limited operations from Madrid while local technicians collaborated with Spain’s National Institute of Cybersecurity (INCIBE) to restore systems. The attack’s ripple effects highlighted supply chain vulnerabilities, given Everis’ role as a service provider to other businesses.
Security researchers, including Vitali Kremez, identified the ransomware as a variant of BitPaymer associated with the Dridex malware group. A ransom note screenshot shared by Spanish cryptocurrency outlet Bitcoin.es exhibited BitPaymer’s characteristics. This attack mirrored earlier campaigns, such as a July 2019 Dridex-driven BitPaymer incident targeting a supply chain provider, as documented by Morphisec. The October 22, 2019, BitPaymer attack on billing service provider Billtrust further demonstrated the trend of threat actors exploiting managed service providers. While the full scope of the Spanish incident remained unclear, the DSN’s confirmation and INCIBE’s involvement underscored its severity. No data theft or financial demands were disclosed in available reports, with restoration efforts focused on system recovery.