A Feb. 23 ransomware attack is to blame for a disruption to Dish Network's internal communications capabilities, customer call centers, and Internet sites, the satellite service provider said in an SEC filing this week.

The threat actor behind the attack also accessed Dish Networks' IT systems and extracted data from it that could potentially include personal information, the company said — without clarifying whether that meant employee information, customer information, or both.

Broad Impact on Dish Customers

Dish TV and its streaming subsidiary Sling's services remain operational, as do its wireless and data networks. But the incident has affected the ability for customers to access their accounts, make payments, and reach the company's service desks, Dish said. 

"We're making progress on the customer service front every day, including ramping up our call capacity," Dish said in a note to customers on its main website, which earlier this week was inaccessible to many. "But it will take a little time before things are fully restored."

Dish has hired outside cybersecurity experts and advisers to help evaluate the situation and conduct a forensic investigation of the incident. If that analysis shows the breach impacted customer information. Dish said it will notify affected customers and take appropriate action.

Dish's disclosure about the ransomware attack comes days after the company first reported a cybersecurity incident as causing a systems issue. The service disruptions that the attack caused added to already broader Wall Street concerns about the company's ability to take advantage of 5G opportunities and other issues. It at least partially contributed to a 8% decline in Dish Network's share prices this week after a Wall Street analyst double downgraded the company's stock.

Six Service Providers Hit So Far, and Counting

At least six other major Internet services and utilities provides have experienced similar attacks since the beginning of 2023 according to Comparitech, which maintains a running tracker of ransomware attacks around the world. Rebecca Moody, head of data research at Comparitech, says that in addition to Dish, her company has confirmed ransomware attacks on South African ISP RSAWeb, Tonga Communications Corp., Águas e Energia do Porto in Portugal, Grupo Albanesi in Argentina, and US-based Encino Energy.

The attacks in 2023 come after a rash of hits on telecom service providers in the last few months. However, ransomware attacks on utilities providers of all types actually dropped last year — from 49 in 2021 to 38 in 2022, and the average ransom demand dropped from $27.2 million in 2021 to $14 million last year, according to Comparitech data. However, the average number of customer records impacted in these attacks saw a staggering surge — from 192,888 in 2021 to 9.8 million in 2022.

Moody says it's difficult to know for sure what the ransomware attacks on services firms in January and February 2023 portend for the rest of the year. "But if we compare these six attacks throughout January and February of this year to last year's figures [of] two attacks in total, it would suggest hackers have started this year with a renewed focus on utilities companies," she says.

Network Segmentation & Damage Containment

Moody says one fact that could be driving the trend is the huge effect these attacks can have on the victim company and the vast number of customers and businesses that rely on their services. "Regaining control of systems as quickly as possible will be a key priority, which hackers may see as an opportunity to secure a ransom demand," Moody says.

Neil Jones, director of cybersecurity evangelism at Egnyte, says the scope of the attack on Dish Networks suggests the threat actors behind it had broad access to its systems. "Generally, there's a strong correlation between the number of systems that are taken down in a cyberattack and the level of access that cyberattackers may have attained," Jones says.

In this instance, Dish's Internet sites, internal communications systems, customer call centers, and customers' bill payment systems were all affected. And early reports suggested that the attack also affected systems subsidiary Boost Mobile, he says. "This suggests that cyberattackers may have gained broad access to the conglomerate's systems and may have compromised their environment some time ago," Jones says.

A research-based report that Ivanti released earlier this year showed that in most ransomware attacks, threat actors exploited old bugs to gain initial access and maintain persistence on them.

Jones adds that the seemingly broad impact of the Dish Network breach shows why network segmentation is crucial to breach containment. Most organizations don't segment their networks as meticulously as they should resulting in many recent situations where a single breach impacted the victim's source code, financial data, and their customer data. "So, I'm confident that network segmentation will be more of an industry focus going forward," Jones says.