Too soon to attribute cyberattack that disrupted U.S. newspapers, researchers say

The attack last week against the Tribune Company disrupted printing operations at papers including the Los Angeles Times, the San Diego Union-Tribune, the New York Times and the Wall Street Journal.

It’s too soon to tell whether North Korean hackers were responsible for a cyberattack that prevented multiple major U.S. newspapers from delivering weekend editions on time.

The attack last week against the Tribune Company disrupted printing operations at papers including the Los Angeles Times, the San Diego Union-Tribune, the New York Times and the Wall Street Journal. Several sources told the Los Angeles Times the attack appeared to be caused by Ryuk, a type of ransomware with low technical capabilities. Ryuk  has infected hundreds of computers at multiple companies, according to researchers from security vendor Check Point.

While Ryuk shares attributes with the Hermes malware, which is often attributed to suspected North Korean hackers known as the Lazarus Group, researchers say that doesn’t mean Pyongyang has launched a digital assault against U.S. press institutions.

“The style of this attack fits the pattern of a lot of different groups at this point,” Robert M. Lee, CEO of the industrial cybersecurity company Dragos, told CyberScoop in an email. “This complicates the attribution claims of course and at this point any claims of attribution simply are too early.”


“You cannot just simply look for Hermes malware to pop up and go ‘Yup, that’s Lazarus Group,” Lee said in a blog post Monday.

The FBI declined to comment Monday on whether it is investigating the attack.

“We are aware of reports of a potential cyber incident affecting several news outlets, and are working with our government and industry partners to better understand the situation,” Katie Waldman, a spokeswoman for the U.S. Department of Homeland Security, said in a statement to CyberScoop.

DHS has not been asked by any of the affected entities for assistance in this matter.

Editors at the San Diego Union-Tribune first noticed the attack Thursday evening when they tried sending digital files to the plate-making facility used to print newspapers, only to be locked out of the system, the Los Angeles Times reported. The virus spread through the publishing platform shared by numerous papers then, as technology teams worked to stop the attack, reinfected systems necessary for production, according to the Times.


The result led to delayed distribution of West Coast papers, though the hack did not prevent outlets from publishing news online.

Company officials “suspected the cyberattack originated from outside the United States, but officials said it was too soon to say whether it was carried out by a foreign state or some other entity,” the Los Angeles Times reported. Another anonymous source speculated that attackers intended to disable infrastructure and servers, rather than steal information.

Representatives from the Tribune Company, the Los Angeles Times and the San Diego Union-Tribune did not respond to requests for comment.

While investigators still are probing the incident, a ransomware attack would resemble recent breaches not blamed on nation-state attackers. The Department of Justice in November charged two Iranian individuals with orchestrating the SamSam ransomware attacks against targets including the cities of Atlanta and Newark, as well as the Port of San Diego and the Colorado Department of Transportation.

“Many of the victims were public agencies with missions that involve saving lives and performing other critical missions for the American people,” Deputy Attorney General Rod Rosenstein said in November when announcing the SamSam indictments.


Media companies, while not tasked with life-saving responsibilities, share many of the same vulnerabilities that have haunted other sectors where ransomware has been a problem, Robert M. Lee, of Dragos, told CyberScoop.

“Also, due to the nature of the operations there is pressure to pay the ransom to meet deadlines,” he said.

Lee pointed to the Poison Ivy malware as a hacking tool that once was fairly unique to Chinese hackers before it enter wider use. “[L]ater it was an openly available too to many teams, yet security researchers didn’t originally understand the tool had spread out … which led to a lot of attribution of Poison Ivy usage to Chinese nation-state actors when in fact it was completely unrelated groups,” he wrote in an email.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts