Cyberattack disrupts printing of major US newspapers

[NEW YORK] The Los Angeles Times says an unusual cyberattack that disrupted its printing operations and those at newspapers in San Diego and Florida over the weekend came from outside the United States, but it stopped short of accusing a specific foreign government.

Computer malware attacks on infrastructure, while relatively rare, are hardly new: Russia has been credibly accused of shutting down power grids in Ukraine and a petrochemical plant in Saudi Arabia, Iran crippled a casino in Las Vegas, and the United States and Israel attacked a nuclear enrichment plant in Iran. But this would be the first known attack on major newspaper printing operations, and if politically motivated, it would define new territory in recent attacks on the media.

The malware was focused on the networks used by Tribune Publishing, which until recently owned The Los Angeles Times and The San Diego Union-Tribune. The two papers still share their former parent company's printing networks.

The Los Angeles Times said the attack also affected the Saturday distribution of The New York Times and The Wall Street Journal, which share use of a large printing plant in Los Angeles for their West Coast editions. Both appear to have been collateral damage; there was no evidence that they were hit by the same malware aimed at the Tribune company.

The online editions of the news organizations were not affected, and Tribune Publishing said no data about its subscribers was compromised.

"Every market across the company was impacted," Marisa Kollias, a spokeswoman for Tribune Publishing, told The Los Angeles Times. The Tribune's remaining publications include its flagship, The Chicago Tribune, and newspapers in Florida, Hartford, Connecticut, and Maryland. It also owns The Daily News in New York.

Missing from Tribune's statements were any details about the nature of the malware or evidence for its assertion that the attack originated overseas. Anonymous sources cited by The Los Angeles Times suggested that the malware may have been a form of ransomware - a pernicious attack that scrambles computer programs and files before demanding that the victim pay a ransom to unscramble them.

Even if the attack was the work of foreign hackers, that does not necessarily mean it was backed by a government. Ransomware attacks are frequently the work of criminal groups, with three notable exceptions: a huge attack by hackers in North Korea in 2017, an attack months later against Ukraine by Russian hackers and, more recently, attacks against US hospitals and even the city of Atlanta by hackers in Iran. Those latest attacks were believed to be the work of individuals and not directed by Tehran.

Neither Tribune Publishing nor The Los Angeles Times said the attack was linked to a ransom demand.

But a news article in The Los Angeles Times, and one outside computer expert, said the attack shared characteristics with a form of ransomware called Ryuk, which was used to target a North Carolina water utility in October and other critical infrastructure. Some experts have linked that malware to a sophisticated North Korean group, but CrowdStrike, a security firm that has been tracking the group behind Ryuk, said it believed cybercriminals in Eastern Europe were responsible.

Adam Meyers, head of threat intelligence at CrowdStrike, said cybercriminals appeared to have been infecting victims with Ryuk through a criminal tool called Trickbot. The tool was used in banking attacks and, more recently, attacks on major businesses and infrastructure in the United States, Canada and Britain.

Sophos, another security vendor, said Ryuk's creators were selective about whom they targeted. They deploy the ransomware against victims that can pay large, often six-figure ransoms, particularly in the commodities, manufacturing and health care industries, Sophos said.

Whoever is behind the ransomware, the attacks appear to have paid off. This month, the group, which goes by the name Grim Spider, received a ransom payment of nearly 100 bitcoin, the equivalent of more than US$380,000.

It apparently took Tribune a while to understand the nature of the attack. The problem first appeared to be a malfunctioning computer server. The first evidence of the attack emerged Thursday night, The Los Angeles Times reported, and by Friday it appeared to have been contained. But it came back - a frequent occurrence with sophisticated attacks - and began to spread through the systems that govern the interface between the news content systems and the systems that control the printing of the newspapers.

By late Friday, The Los Angeles Times said, "the attack was hindering the transmission of pages from offices across Southern California to printing presses." Among the hardest hit was the San Diego paper, whose production teams could not transmit the files that enable the making of page plates for the printing presses.

As a result, delays cascaded across the printing schedules for other newspapers. The South Florida Sun Sentinel was also hit, the newspaper reported on its website. It said distribution of The New York Times and The Palm Beach Post had also been affected, because they share the same presses.

On Sunday, Hillary Manning, vice president for communications at The Los Angeles Times, said, "The presses ran on schedule, and papers were being delivered as usual today." She added, "The systems outage caused by a virus or malware has not been completely resolved yet."

About 20,000 copies of The New York Times from the Los Angeles plant were delivered a day late, a spokeswoman for the paper, Eileen Murphy, said.

Colleen Schwartz, a spokeswoman for The Wall Street Journal, said she could confirm that The Journal "was impacted in certain regions," though she did not have any details on which areas or the number of copies affected.

NYTIMES