[BreachExchange] Cyberattack Disrupts Printing of Major Newspapers

Mon Dec 31 08:52:11 EST 2018

https://www.nytimes.com/2018/12/30/business/media/los-angeles-times-cyberattack.html

The Los Angeles Times says an unusual cyberattack that disrupted its
printing operations and those at newspapers in San Diego and Florida
over the weekend came from outside the United States, but it stopped
short of accusing a specific foreign government.

Computer malware attacks on infrastructure, while relatively rare, are
hardly new: Russia has been credibly accused of shutting down power
grids in Ukraine and a petrochemical plant in Saudi Arabia, Iran
crippled a casino in Las Vegas, and the United States and Israel
attacked a nuclear enrichment plant in Iran. But this would be the
first known attack on major newspaper printing operations, and if
politically motivated, it would define new territory in recent attacks
on the media.

The malware was focused on the networks used by Tribune Publishing,
which until recently owned The Los Angeles Times and The San Diego
Union-Tribune. The two papers still share their former parent
company’s printing networks.

The Los Angeles Times said the attack also affected the Saturday
distribution of The New York Times and The Wall Street Journal, which
share use of a large printing plant in Los Angeles for their West
Coast editions. Both appear to have been collateral damage; there was
no evidence that they were hit by the same malware aimed at the
Tribune company.

The online editions of the news organizations were not affected, and
Tribune Publishing said no data about its subscribers was compromised.

“Every market across the company was impacted,” Marisa Kollias, a
spokeswoman for Tribune Publishing, told The Los Angeles Times. The
Tribune’s remaining publications include its flagship, The Chicago
Tribune, and newspapers in Florida, Hartford and Maryland. It also
owns The Daily News in New York.

Missing from Tribune’s statements were any details about the nature of
the malware or evidence for its assertion that the attack originated
overseas. Anonymous sources cited by The Los Angeles Times suggested
that the malware may have been a form of ransomware — a pernicious
attack that scrambles computer programs and files before demanding
that the victim pay a ransom to unscramble them.

Even if the attack was the work of foreign hackers, that does not
necessarily mean it was backed by a government. Ransomware attacks are
frequently the work of criminal groups, with three notable exceptions:
a huge attack by hackers in North Korea in 2017, an attack months
later against Ukraine by Russian hackers and, more recently, attacks
against American hospitals and even the City of Atlanta by hackers in
Iran. Those latest attacks were believed to be the work of individuals
and not directed by Tehran.

Neither Tribune Publishing nor The Los Angeles Times said the attack
was linked to a ransom demand.

But a news article in The Los Angeles Times, and one outside computer
expert, said the attack shared characteristics with a form of
ransomware called Ryuk, which was used to target a North Carolina
water utility in October and other critical infrastructure. Some
experts have linked that malware to a sophisticated North Korean
group, but CrowdStrike, a security firm that has been tracking the
group behind Ryuk, said it believed cybercriminals in Eastern Europe
were responsible.

Adam Meyers, the head of threat intelligence at CrowdStrike, said
cybercriminals appeared to have been infecting victims with Ryuk
through a criminal tool called Trickbot. The tool was used in banking
attacks and, more recently, attacks on major businesses and
infrastructure in the United States, Canada and Britain.

Sophos, another security vendor, said Ryuk’s creators were selective
about whom they targeted. They deploy the ransomware against victims
that can pay large, often six-figure ransoms, particularly in the
commodities, manufacturing and health care industries, Sophos said.

Whoever is behind the ransomware, the attacks appear to have paid off.
This month, the group, which goes by the name Grim Spider, received a
ransom payment of nearly 100 Bitcoin, the equivalent of more than
$380,000.

It apparently took Tribune a while to understand the nature of the
attack. The problem first appeared to be a malfunctioning computer
server. The first evidence of the attack emerged Thursday night, The
Los Angeles Times reported, and by Friday it appeared to have been
contained. But it came back — a frequent occurrence with sophisticated
attacks — and began to spread through the systems that govern the
interface between the news content systems and the systems that
control the printing of the newspapers.

By late Friday, The Los Angeles Times said, “the attack was hindering
the transmission of pages from offices across Southern California to
printing presses.” Among the hardest hit was the San Diego paper,
whose production teams could not transmit the files that enable the
making of page plates for the printing presses.

As a result, delays cascaded across the printing schedules for other
newspapers. The South Florida Sun Sentinel was also hit, the newspaper
reported on its website. It said distribution of The New York Times
and The Palm Beach Post had also been affected, because they share the
same presses.

On Sunday, Hillary Manning, vice president for communications at The
Los Angeles Times, said, “The presses ran on schedule, and papers were
being delivered as usual today.” She added, “The systems outage caused
by a virus or malware has not been completely resolved yet.”

About 20,000 copies of The New York Times from the Los Angeles plant
were delivered a day late, a spokeswoman for the paper, Eileen Murphy,
said.

Colleen Schwartz, a spokeswoman for The Wall Street Journal, said she
could confirm that The Journal “was impacted in certain regions,”
though she did not have any details on which areas or the number of
copies affected.