Tribune Publishing cyberattack raises attribution questions

A cyberattack on Tribune Publishing Company LLC this weekend disrupted the printing operations of several major newspapers, including the Los Angeles Times and Chicago Tribune, but questions remain about the nature and attribution of the incident.

The Tribune Publishing cyberattack, which was initially discovered Friday, involved malware that affected several of the company's systems for producing and printing its newspapers. Those systems are shared not only by several Tribune Publishing newspapers but other third-party publications such as The New York Times and The Wall Street Journal. Tribune Publishing sold the Los Angeles Times and other California-based publications earlier last year to investment firm Nant Capital, but the newspapers still use the Tribune's production platform.

As a result, several newspapers' operations were disrupted over the weekend. For example, a company statement in the Chicago Tribune said Saturday's print issue was shipped without paid death notices and classified ads, while other papers such as the South Florida Sun Sentinel were unable to deliver print issues at all. The Tribune Publishing cyberattack did not affect any websites or mobile applications, according to the statement, and there was no evidence that customers' financial data or personally identifiable information were affected.

Tribune Publishing didn't specify the type of malware that infected its systems, but the Los Angeles Times cited anonymous sources that claimed Ryuk ransomware was behind the disruption. Ryuk was first detected in August by cybersecurity vendor Check Point Software Technologies; Check Point's research described the ransomware as "targeted and well-planned," earning more than $640,000 in bitcoin payments. Check Point also said Ryuk's campaign and malicious code bore similarities to the Hermes ransomware, which was attributed to North Korean state-sponsored hackers known as the Lazarus Group.

The Los Angeles Times report led some media outlets to speculate that North Korean nation-state hackers were behind the Tribune Publishing cyberattack. However, some infosec experts cautioned against attributing the attack. Robert Lee, founder and CEO of Dragos, an industrial control system security vendor based in Hanover, Md., said more information is needed before an accurate assessment of the attack can be made.

"The only thing being highlighted in certain media outlets is transitive attribution because of links observed in different malware families. This is sloppy and will lead to numerous inaccuracies," Lee wrote in a blog post.

In addition, threat detection vendor CrowdStrike told The New York Times that it had observed Ryuk ransomware being used by suspected Eastern European cybercriminals. Check Point itself noted in its research that Ryuk could either be the work of the Lazarus Group "or the work of an actor who has obtained the HERMES source code."