Cyber Incident Victim: Cox Media Group
Date:
Jun 2021
Location:
United States of America
Summary
A ransomware attack disrupted live streaming services across a major US media conglomerate's radio and television stations, impacting internal networks and broadcast capabilities. The incident forced cancellation of scheduled programming, with radio streams remaining offline longer than TV counterparts. Employees were instructed to shut down systems and log out of emails to contain the spread, while third-party platforms relying on affected feeds also experienced outages. The organization's autonomous system vanished from internet routing tables as part of containment efforts, though traditional broadcasts and websites continued operating.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 3, 2021, Cox Media Group experienced a disruptive cybersecurity incident impacting its radio and television stations nationwide. The attack began in the morning, disrupting internal networks and live streaming capabilities for web and mobile platforms, though official websites, telephone lines, and standard broadcast programming remained operational. Employees were instructed to shut down systems and log out of email accounts to prevent malware spread, with one employee noting proactive measures were taken to contain the incident. Multiple live programs could not air as scheduled, forcing cancellations across affected stations. Hosts like Brent Martineau publicly acknowledged interruptions, directing audiences to alternative platforms while expressing uncertainty about recovery timelines. Third-party services relying on Cox streams, including Hulu, confirmed broadcast feed disruptions and launched investigations.
The incident affected live streams for television stations including News9, WSOC, WSB, WPXI, and KOKI, along with nearly all Cox radio stations. While some TV streams resumed within hours, most radio streams remained offline at the time of reporting. Cox Media Group’s autonomous system (AS397123) was withdrawn from the internet’s default-free zone, indicating network isolation to contain the attack. The company, which operates 57 radio and TV stations across 20 U.S. markets, did not publicly comment on the incident. This marked the second major ransomware attack against a U.S. media conglomerate since 2019, when Entercom—the nation’s second-largest radio broadcaster—faced similar disruptions. Historical parallels included temporary outages at France’s M6 and The Weather Channel during separate 2019 ransomware incidents.