Over the weekend, a cyberattack disrupted print newspaper distribution across the US.
The Los Angeles Times said a malware attack on Tribune Publishing's software systems delayed weekend distribution of the newspaper and affected Tribune publications throughout the country. The print editions of the Baltimore Sun, Capital Gazette, Chicago Tribune, Hartford Courant, and a number of other Tribune-owned papers were published on Saturday without classified ads and death notices, according to the publications.
The attack also affected the San Diego Union-Tribune, the South Florida Sun Sentinel, and distribution of The New York Times and The Wall Street Journal, the West Coast editions of which are printed at the company's LA facility. Distribution of smaller local California papers including the Glendale News Press and Burbank Leader was also affected.
A source inside Tribune Publishing told the L.A. Times the company believes the attack originated outside the U.S. and was intended to disable infrastructure rather than steal information. The company sold both the L.A. Times and San Diego Union-Tribune earlier this year, but the newspapers still rely on Tribune Publishing's production platform and printing networks, the target of the cyberattack. None of the publications' websites or online editions were affected, and the company said no subscriber personal data was compromised.
The company's official statements stopped short of providing further details about the attack, but anonymous sources told the L.A. Times that the Ryuk ransomware may be a culprit. The same ransomware took down a North Carolina water utility in October.
Ryuk, first described by security software provider Check Point over the summer, tends to hit high-value targets that can't afford major downtime, demanding hefty Bitcoin ransoms. The New York Times said the group behind Ryuk, known as Grim Spider, has already been paid nearly 100 Bitcoin valued at more than $380,000 this month. It's unclear whether any of that ransom came from Tribune Publishing.
According to The New York Times report, Tribune first noticed a malfuctioning server this past Thursday night. It appeared to be contained but then spread throughout the company's printing software systems on Saturday, debilitating operations and stymying page transmissions to Southern California printing presses.
The company was able to resume on-time deliveries on Sunday, but it said the outage and attack were yet to be completely resolved. The company said it has reported the attack to the FBI, and a spokesperson for the Department of Homeland Security said the agency is also investigating the situation.
There has been some debate over the ransomware culprits. Check Point has linked Ryuk to North Korea's APT Lazarus Group. Security firm CrowdStrike, on the other hand, told The New York Times it believes cybercriminals in Eastern Europe were behind the attack, which may be related to the nefarious TrickBot malware.
This year alone, ransomware attacks have been responsible for crippling systems including the Newark and Atlanta city governments, the Port of San Diego, and clinical lab testing company LabCorp. Those attacks are linked back to the SamSam ransomware strain, which the US government has linked to Iran. The reported Tribune Publishing ransomware attack, whether ultimately traced back to North Korea, other nation-state actors, or hacker groups, marks the first known attack on major newspaper printing operations.