Foreign cyberattack hits newspapers: Here is what we know


The Los Angeles Times and other newspapers were the victims of an apparent cyberattack.

A source with knowledge of the situation said a “foreign entity” launched the attack using malware, which prevented The Times and others from publishing the Saturday print edition on time.

Here is what we know:

Q: What is a malware attack?

Malware attacks are extremely common, affecting millions of computers in homes, offices and other organizations every day, said Salim Neino, CEO of the company Kryptos Logic.


In some cases, dubbed “ransomware,” the attackers disable the system and demand money, said Neino, whose company tackled a major ransomware attack called WannaCry last year. In other instances, the goal is simply to disrupt or “break stuff” by wiping systems, Neino said. (It’s unclear if those involved in the Times attack have sought ransom.)

Malware has also been used to quietly infect computers and then sell access to other cybercriminals, who can steal banking credentials or exploit other valuable information, Neino said. In many cases, the attackers have been all but impossible to track digitally, although the federal government has, on some occasions, been able to catch them, he added.

Neino said that in the absence of more information, he could not comment specifically on the attack on the newspapers’ system. However, he said that in general, computer systems used for manufacturing tend to be outdated and more vulnerable because they are used nonstop and updated less frequently than, say, devices issued to company employees.

Malware attack disrupts delivery of Los Angeles Times, other newspapers across U.S. »

Malware has, over time, become more sophisticated and coordinated, involving more planning by networks of hackers who infiltrate a system over time, said Pam Dixon, executive director of the World Privacy Forum, a nonprofit public interest research group.

“Modern malware is all about the long game,” Dixon said. “It’s serious attacks, not small stuff anymore.”


“When people think of malware, the impression may be, ‘It’s a little program that runs on my computer,’” Dixon said. Today, “malware can root into the deepest systems and disrupt very significant aspects of those systems.”

Q: What is known about the attacker?

Very little. Experts said it’s hard to speculate without more information.

“Usually when someone tries to disrupt a significant digital resource like a newspaper, you’re looking at an experienced and sophisticated hacker,” Dixon said.

It could represent “a meaningful step up in attacks” if a group of newspapers is being attacked by malware “at the digital press level,” Dixon said.

Dixon added that the holidays are “a well-known time for mischief” by digital troublemakers because organizations are more thinly staffed.

“It’s an optimal time to attack a major target,” she said.

Several individuals with knowledge of the Tribune situation said the attack appeared to be in the form of “Ryuk” ransomware. One company insider, who was not authorized to comment publicly, said the corrupted Tribune Publishing computer files contained the extension “.ryk,” which is believed to be a signature of a “Ryuk” attack.

Cybersecurity experts have known about “Ryuk” ransomware for months. This particular variant, which is distributed by “malicious spam” is “not like common ransomware,” according to an August advisory issued by the U.S. Department of Health and Human Services.

“Ryuk” attacks are “highly targeted, well-resourced and planned,” according to the August advisory. Victims are deliberately targeted and “only crucial assets and resources are infected in each targeted network,” the government’s advisory said. “Infection and distribution carried out manually by the attackers.”

In September, the Port of San Diego was hit by a similar attack. That attack came two months after a strike at the Port of Long Beach. It is unclear whether the attacks were related or if the culprits demanded ransom in any of the incidents.

Q: What exactly happened to The Times?

The attack seemed to have begun late Thursday night and by Friday had spread to crucial areas needed to publish the paper.

The computer problem shut down a number of crucial software systems that store news stories, photographs and administrative information, and made it difficult to create the plates used to print the papers at The Times’ downtown printing plant.

All papers within The Times’ former parent company, Tribune Publishing, experienced glitches with the production of papers. Tribune Publishing sold The Times and the San Diego Union-Tribune to Los Angeles businessman Dr. Patrick Soon-Shiong in June, but the companies continue to share various systems, including software.

Tribune Publishing said in a statement Saturday that “the personal data of our subscribers, online users, and advertising clients has not been compromised.”

Q: What are some other major attacks?

The highest-profile cyberattack of a media company was in late 2014 at Sony Pictures Entertainment in Culver City.

Hackers, which the FBI later determined were affiliated with the North Korean government, broke into Sony Pictures’ computer system and copied huge chunks of data, which they later posted online for the world to see.

That theft was enormous: employees’ personal information, including Social Security numbers, movie production schedules and budgets, media distribution lists and embarrassing emails sent by top executives.

The Sony Pictures hackers, who called themselves Guardians of Peace, appeared to be riled up over the 2014 Seth Rogen buddy comedy called the “The Interview.” North Korean leader Kim Jong Un was portrayed in the film as a buffoon, and Rogen and James Franco, who both starred in the film, played journalists who had been recruited by the CIA to assassinate the North Korean leader.

Sony Pictures’ workforce learned of the attack on Nov. 24, 2014, just days before Thanksgiving. Their computer screens were overtaken by a ghoulish cartoon, then the computer systems crashed.

A note to our readers: Major computer breakdown disrupts printing and delivery »

Sony took the computers offline and spent days trying to repair the damage. Media companies are particularly vulnerable to cyberattacks, according to a recent survey by Forrester Consulting and Hiscox, an international insurance specialist.

“High-profile products and complex production processes, coupled with the media and entertainment industry’s extensive use of outside vendors, give cyber criminals more opportunities to attack,” the two companies wrote in a recent report.