Was This an Act of Cyberwar?
One thing is certain: a foreign actor of unknown identity does not like — and targeted — American newspapers.
A cyber-attack has caused printing and delivery disruptions to major US newspapers, including the Los Angeles Times, the Chicago Tribune and the Baltimore Sun. …
Tribune Publishing, which owns the Chicago Tribune and the Sun, as well as the New York Daily News and Orlando Sentinel, said it first detected the malware on Friday.
The west coast editions of the Wall Street Journal and New York Times were also hit, as they are printed on the shared production platform, the Los Angeles Times said.
A spokesman for the Department of Homeland Security told Reuters they are investigating the attack.
LA Times provides details of the attack…
The attack seemed to have begun late Thursday night and by Friday had spread to crucial areas needed to publish the paper.
The computer problem shut down a number of crucial software systems that store news stories, photographs and administrative information, and made it difficult to create the plates used to print the papers at The Times’ downtown printing plant.
All papers within The Times’ former parent company, Tribune Publishing, experienced glitches with the production of papers. Tribune Publishing sold The Times and the San Diego Union-Tribune to Los Angeles businessman Dr. Patrick Soon-Shiong in June, but the companies continue to share various systems, including software.
Tribune Publishing said in a statement Saturday that “the personal data of our subscribers, online users, and advertising clients has not been compromised.”
… and specifics.
Very little [is known about the attacker]. Experts said it’s hard to speculate without more information.
“Usually when someone tries to disrupt a significant digital resource like a newspaper, you’re looking at an experienced and sophisticated hacker,” Dixon said.
It could represent “a meaningful step up in attacks” if a group of newspapers is being attacked by malware “at the digital press level,” Dixon said.
Dixon added that the holidays are “a well-known time for mischief” by digital troublemakers because organizations are more thinly staffed.
“It’s an optimal time to attack a major target,” she said.
Several individuals with knowledge of the Tribune situation said the attack appeared to be in the form of “Ryuk” ransomware. One company insider, who was not authorized to comment publicly, said the corrupted Tribune Publishing computer files contained the extension “.ryk,” which is believed to be a signature of a “Ryuk” attack.
Cybersecurity experts have known about “Ryuk” ransomware for months. This particular variant, which is distributed by “malicious spam” is “not like common ransomware,” according to an August advisory issued by the U.S. Department of Health and Human Services.
“Ryuk” attacks are “highly targeted, well-resourced and planned,” according to the August advisory. Victims are deliberately targeted and “only crucial assets and resources are infected in each targeted network,” the government’s advisory said. “Infection and distribution carried out manually by the attackers.”
In September, the Port of San Diego was hit by a similar attack. That attack came two months after a strike at the Port of Long Beach.
The pattern of attacks suggests an entity acting in the interest of an hostile state — the number and intensity of which seem to be growing under the diplomatic incompetence of former steak and wine pitch-man Donald J. Trump.