Foreign cyberattack hits distribution networks of major newspapers

The Los Angeles Times, San Diego Union Tribune, and other major newspapers across the country were hit with a cyberattack that experts say originated in a foreign country.

What first arose as a server outage was identified Saturday as a malware attack, which appears to have originated from outside the United States and hobbled computer systems and delayed weekend deliveries of the Los Angeles Times and other newspapers across the country.

Technology teams worked feverishly to quarantine the computer virus, but it spread through Tribune Publishing’s network and reinfected systems crucial to the news production and printing process. Multiple newspapers around the country were affected because they share a production platform.

The attack delayed distribution of Saturday editions of the Los Angeles Times and San Diego Union Tribune. It also stymied distribution of the West Coast editions of the Wall Street Journal and New York Times, which are printed at the Los Angeles Times’ Olympic printing plant in downtown Los Angeles.

By Saturday afternoon, the company suspected the cyberattack originated from outside the United States, but officials said it was too soon to say whether it was carried out by a foreign state or some other entity, said a source with knowledge of the situation.

The profile of the hacker(s) suggests a sophisticated operation:

“Usually when someone tries to disrupt a significant digital resource like a newspaper, you’re looking at an experienced and sophisticated hacker,” Dixon said.

It could represent “a meaningful step up in attacks” if a group of newspapers is being attacked by malware “at the digital press level,” Dixon said.

Dixon added that the holidays are “a well-known time for mischief” by digital troublemakers because organizations are more thinly staffed.

“It’s an optimal time to attack a major target,” she said.

The malware was a new form of ransomeware:

Several individuals with knowledge of the Tribune situation said the attack appeared to be in the form of “Ryuk” ransomware. One company insider, who was not authorized to comment publicly, said the corrupted Tribune Publishing computer files contained the extension “.ryk,” which is believed to be a signature of a “Ryuk” attack.

Cybersecurity experts have known about “Ryuk” ransomware for months. This particular variant, which is distributed by “malicious spam” is “not like common ransomware,” according to an August advisory issued by the U.S. Department of Health and Human Services.

“Ryuk” attacks are “highly targeted, well-resourced and planned,” according to the August advisory. Victims are deliberately targeted and “only crucial assets and resources are infected in each targeted network,” the government’s advisory said. “Infection and distribution carried out manually by the attackers.”

The motive for the attack is unknown. It's just as likely to have been an ideological attack as anything else. 

More to the point, what can newspapers do about it? Perhaps the attack occurred because newspapers never figured this particular system was vulnerable or not important enough to adequately protect. If that's the case, other digital distribution networks are going to have to rethink their security or the same thing could happen to them.