Major U.S. newspapers failed to meet publication schedules over the weekend following a cyberattack on the servers at the Los Angeles Times’ printing plant, crippling operations at the facility that prints and distributes editions of the Wall Street Journal, New York Times, Los Angeles Times, Chicago Tribune and Baltimore Sun.
A server owned by Tribune Publishing went out Saturday, prompting company officials to detect malware that had corrupted files. Efforts to repair the security breach failed to prevent sweeping disruptions in the production of editions of the papers printed at the facility in suburban Los Angeles, including west coast editions of the Wall Street Journal and New York Times.
Davey Winder, a cybersecurity journalist and columnist for Forbes, said in a Sunday column that the attack appears to have been perpetrated by “North Korean threat actors” associated with the Lazarus Group, a North Korean outfit that was behind the 2014 cyber hack at Sony Pictures.
Workers at the Tribune publishing plant noticed something strange about midnight on Thursday, when the servers balked at taking normal commands. Programmers found a bug, identified at a malware attack but failed to contain it.
By late Friday, the attack was hindering the transmission of pages from offices across southern California to printing presses as publication deadlines approached.
Tribune Publishing said the company was certain that the cyberattack did not penetrate or collect any personal date belonging to subscribers, online users or advertising clients.
At the San Diego Union-Tribune, publisher and editor Jeff Light noted that between 85 percent and 90 percent of the early Saturday edition of his newspaper did not reach subscribers. “Papers that should have arrived in San Diego around 3 a.m. to 4 a.m. instead arrived at 7 a.m. and 8 a.m.,” he told the Los Angeles Times.
The cyberattack caused widespread issues in South Florida, one of Tribune Publishing’s major markets. The South Florida Sun Sentinel, based in Fort Lauderdale, told readers that it had been “crippled this weekend by a computer virus that shut down production and hampered phone lines,” according to a story on its website.
According to a story posted Saturday on the Los Angeles Times website about the attack on its operations, the publisher didn’t know exactly who infected its servers, but suspects it was a cyberattack that originated from outside of the country. The article said it was too soon to know if it was executed by a foreign government or by some private source.
“We believe the intention of the attack was to disable infrastructure, more specifically servers, as opposed to looking to steal information,” an unidentified source told the Los Angeles Times, speaking under the cloak of anonymity because he was not authorized to comment publicly. The newspaper said its source declined to say what evidence led the company to believe the attack was from overseas.
Forbes’ Winder noted the attack on the Tribune server bore striking resemblance to so-called Ryuk ransomware, which was linked to the Sony hack.
In that attack, cyber intruders slinked into the entertainment company’s computers, stealing confidential documents and posted them online. U.S. government officials said at the time they believed the Lazarus Group, which it said was tied to the North Korean government, was behind the attack and carried it out to embarrass Sony for a planned release of a movie that mocked North Korean leader Kim Jong Un.
The film — titled “The Interview” — was an action-comedy that included an assassination plot against the dictator. Sony canceled the premier of the film, fearing threats against theaters that planned to show it.
Winder wrote in his column that Tribune Publishing first detected malware within corrupted files that contained the Ryuk fingerprint of a ‘.ryk’ extension.
“Certainly the fact that Ryuk is being mentioned, albeit not yet officially, as the malware behind the disruption points at the North Korean Lazarus Group,” Winder wrote.
“The trademark of this group is to undertake highly targeted and very well researched and resourced attacks involving the kind of reconnaissance usually associated with state sponsored threat actors…. The nature of this attack, targeting the printing and distribution processes of major newspapers, reveals that it was designed to disrupt rather than steal data.”