What we still don't know about the cyberattack on Tribune newspapers
News operations are returning to normal for the Los Angeles Times and outlets owned by Tribune Publishing, but significant questions remain about a cyberattack that disrupted computer systems for a host of publications around the country and hampered newspaper deliveries over the weekend.
On Saturday the Los Angeles Times reported that Tribune, which owned the Times until June but still shares production software with the newspaper, “suspected the cyberattack originated from outside the United States.” But Tribune did not say whether the suspected hackers may have ties to a foreign government, how they infiltrated the company’s network or what their motives may be.
“Tribune Publishing continues to investigate the diagnosis and remediation of the malware that impacted a portion of our back-office systems,” Marisa Kollias, a spokeswoman for Tribune Publishing, told The Washington Post in a statement Monday. “We continue to make significant progress across the organization that set up Monday’s delivery of newspapers for a successful delivery schedule through extraordinary dedication and effort.”
The Times, citing an unnamed source with knowledge of the situation, reported that the goal of the attack was to disable news operations rather than to steal information. The newspaper cited other anonymous sources who suggested that the cyberattack came in the form of a type of ransomware, known as “Ryuk.”
Ransomware attacks work by encrypting the data on a victim’s computer and then demanding a ransom to restore access to the files, which are locked from access by the owner. Such malicious software has been used in high-profile breaches, including a sprawling attack last year that the Trump administration pinned on North Korea, which affected more than 230,000 computers in more than 150 countries. Hackers also deployed ransomware against a local government in North Carolina, demanding tens of thousands of dollars to unlock data held on Mecklenburg County servers.
Security experts say criminals and state-tied groups have relied on ransomware to profit from desperate victims and disrupt critical infrastructure. But the Ryuk ransomware believed to have been deployed against Tribune has been used in a more targeted way. Hackers search for computer networks that have digital vulnerabilities and companies and users that have the resources to pay a hefty ransom.
John Shier, a security adviser with British cybersecurity company Sophos, said that cybercriminals can use a specialized search engine to scan the Internet for remote entry points into a company’s network.
The cyberattack slowed publication and distribution of Tribune and other newspapers over the weekend. The Baltimore Sun, the Chicago Tribune and the New York Daily News are among Tribune’s properties. In an article published online by the South Florida Sun-Sentinel on Saturday, the newspaper told readers, “We are still here,” explaining that the outlet “was crippled this weekend by a computer virus that shut down production and hampered phone lines.”
Experts cited the importance of learning the motive for the attack.
“If the attack was targeted at the L.A. Times because they would make a good victim, then it’s not a significant development, although unfortunate,” said Robert M. Lee, chief executive of Dragos, an industrial cybersecurity firm. “If the attack was targeted at the L.A. Times because they are a press site then the U.S. government would very likely want to know the attribution and determine if a foreign state is trying to silence the free press.” But, Lee added, that second scenario is “very unlikely at this point,” given what is known about the attack.
Katie Waldman, a spokeswoman for the Department of Homeland Security, said in a statement to The Washington Post: “We are aware of reports of a potential cyber incident effecting several news outlets, and are working with our government and industry partners to better understand the situation.”
The FBI did not immediately respond to a request for comment on the cyberattack.
Kimberly Goody, manager of financial crimes at the cybersecurity firm FireEye, said that it’s not unusual for crucial details of a cyberattack to be withheld from the public early in the investigation.
A key challenge for Tribune, like many other victims of cyberattacks, will be attributing the hack to a person or group. While indicators can offer clues to the origin of an intrusion, such flags can be masked or intentionally placed to misdirect victims.
“It is very likely that this attack originated outside the U.S., as many such attacks do. But performing any type of attribution at this point, including whether or not it was nation-state orchestrated, is not doable,” Lee said. “Attribution at this point would be very premature and largely a guess.”