The Los Angeles Times, the San Diego Union-Tribune and Tribune Publishing said newspaper delivery operations were back to normal on Sunday, but that some issues remained after a malware attack that affected papers from California to Florida.
Little was known about why an attacker sought to upend newsrooms and production centers, ultimately delaying delivery of about a dozen newspapers across the country on Saturday. In the Times’ El Segundo office, phones lit up throughout the day as readers called to complain about missed editions.
The cyberattack also hobbled Tribune Publishing, whose properties include the Chicago Tribune, Baltimore Sun and South Florida Sun Sentinel as programmers tried to contain the computer virus. Multiple newspapers were affected because they share a production platform.
Tribune Publishing sold The Times and the San Diego Union-Tribune to Los Angeles biotech entrepreneur Dr. Patrick Soon-Shiong in June, but the two companies continue to share various systems, including software.
By Sunday, production and delivery were back on track at all the papers, but the company continues to work through other unresolved system issues, Marisa Kollias, a Tribune Publishing spokeswoman, said in a statement.
“We acted promptly to secure the environment while ... creating workarounds to ensure we could print our newspapers,” she said. “The personal data of our subscribers, online users, and advertising clients has not been compromised.”
She did not address details about the attack itself.
Earlier, a source with knowledge of the situation said the cyberattack was believed to have originated outside the United States, but it was too soon to say whether it was carried out by a foreign state or some other entity.
“We believe the intention of the attack was disable infrastructure, more specifically servers, as opposed to looking to steal information,” said the source, who spoke on condition of anonymity because he was not authorized to speak publicly.
On Sunday, a spokeswoman for the FBI would neither confirm nor deny whether an investigation was underway. Katie Waldman, a spokeswoman for the Department of Homeland Security, said, “we are aware of reports of a potential cyber incident affecting several news outlets, and are working with our government and industry partners to better understand the situation.”
Malware attacks are commonplace as hackers target a wide range of industries and government entities. In some “ransomware” cases, the attackers disable the system and demand money to restore services.
It’s unknown whether Tribune Publishing and The Times were asked for a ransom.
In 2016, Hollywood Presbyterian Medical Center paid a $17,000 ransom in bitcoin to a hacker who seized control of the hospital’s computer systems. Two Iranian men were later indicted by a federal grand jury, accused of orchestrating a widespread scheme targeting not only the Hollywood hospital, but also U.S. cities and transportation agencies.
Several people with knowledge of the Tribune situation said the attack appeared to be in the form of “Ryuk” ransomware. One company insider, who was not authorized to comment publicly, said the corrupted Tribune Publishing computer files contained the extension “.ryk.”
Ryuk attacks are “highly targeted, well-resourced and planned,” according to an August advisory by the U.S. Department of Health and Human Services’ cybersecurity program. Victims are targeted and “only crucial assets and resources are infected in each targeted network.”
A source with knowledge of the attack described it as “extremely broad” in scope and believed to have been carried out to disable infrastructure, as opposed to steal information.
The source spoke on condition of anonymity because the individual was not authorized to comment publicly.
Clifford Neuman, director, USC’s Center for Computer Systems Security, said that Ryuk appears to have surfaced this summer. Unlike some ransomware, which spreads like a virus or worm, Ryuk “tends to trick an individual into downloading or clicking on a particular link, or visiting a web site,” Neuman said.
It can also gain access to systems through poorly protected remote access, said Stephen Cobb, a senior security researcher at Eset, a internet security company.
He said Ryuk often targets organizations with deep pockets that need immediate access to its files or software. “Ryuk has typically been used to extort money but it could be used in a purely destructive manner,” Cobb said.
While it’s suspected the cyberattack on the newspaper companies originated from outside the United States, such assaults are notoriously difficult to attribute with accuracy.
A feature of malicious code is that it can be copied, and purposely mislead people to believe it came from somewhere else, Cobb said.
Pam Dixon, executive director of the World Privacy Forum, a nonprofit public interest research group, said that “usually when someone tries to disrupt a significant digital resource like a newspaper, you’re looking at an experienced and sophisticated hacker.”
Dixon added that the holidays are “a well-known time for mischief” by digital troublemakers, because organizations are more thinly staffed.
“It’s an optimal time to attack a major target,” she said.
Times staff writer Meg James contributed to this story.