An investigation has been launched into a recent cyberattack that disrupted the printing of several major newspapers.
The cyberattack on Tribune Publishing, attributed to a malware infection, caused disruption to several newspaper print runs including those of the Los Angeles Times, San Diego Tribune, and the west coast editions of the New York Times and Wall Street Journal. The cyberattack occurred on Thursday December 28, 2018, and spread throughout the Tribune Publishing network on Friday. The Saturday editions of several newspapers, which were produced at the same printing plant, were affected
Tribune Publishing is a newspaper print and online media company based in Chicago. Until June 2018, it owned The Los Angeles Times and The San Diego Union-Tribune. Although under new ownership, the two papers will share their former owner’s printing networks. The Tribune still owns major newspapers such as the Chicago Tribune, New York Daily News, and Baltimore Sun, although produce them at a different site to the one affected by the malware attack.
Initially, the disruption was attributed to a computer breakdown. It was later confirmed by officials at the LA Times later that it had been the victim suffered a malware attack conducted by threat actors outside the United States. The malware prevented them from transmitting pages from offices to the printing presses, therefore causing printing schedule delays for a papers that were not directly targeted by the attack.
Tribune Publishing stated that no subscriber or advertiser data was compromised in the attack, and the online editions of the papers were unaffected. The attack is believed to be an attempt to either deliberately cause disruption or or extort money from Tribune Publishing. However, there have been no confirmed reports of a ransom attached to the attack.
“Every market across the company was impacted,” Marisa Kollias, a spokeswoman for Tribune Publishing, told The Los Angeles Times.
While the malware variant used in the attack has not been officially confirmed, many sources close to the attack suspect Ryuk ransomware, which was identified by the extension added to encrypted files: .ryk.
Researchers at Check Point had previously analyzed Ryuk ransomware and discovered it shares some of its source code with Hermes ransomware. The latter had been attributed to an APT threat actor known as the Lazarus group: a hacking group with strong ties to North Korea.
While it is possible that the Lazarus group has conducted the attack specifically to cause disruption to news outlets, the attack could similarly have been performed by an actor who has obtained the source code to Ryuk ransomware, or the closely related Hermes ransomware.
Ryuk ransomware first appeared in the summer of 2018 and has been used in many campaigns targeting organisations in the United States, such as a North Carolina water utility in October and other critical infrastructure.
Not all agree that Lazarus is behind Ryuk ransomware. Symantec suggests that Ryuk ransomware has been spread by the group behind the Emotet banking Trojan and CrowdStrike has attributed Ryuk ransomware to a crime group in Eastern Europe called Grim Spider.
Investigators have yet to determine how the malware was installed on the network. Ryuk ransomware campaigns earlier this year have involved malspam (phishing) emails. The use of RDP-based methods to install the malware, such as the use of stolen credentials or brute force RDP attacks is also a possibility. IT teams have been working around the clock to remediate the Tribune Publishing cyberattack.
On the Sunday after the attack, Hillary Manning, vice president for communications at The Los Angeles Times, said, “The presses ran on schedule, and papers were being delivered as usual today.” She added, “The systems outage caused by a virus or malware has not been completely resolved yet.”