Attribution Unknown in Tribune Publishing Attack

Written by

The malware attack that disrupted the printing operations of the Chicago Tribune and other Tribune Publishing newspapers, including the Los Angeles Times, remains under investigation with no clear evidence that points to a source responsible for the attack, according to the Chicago Tribune.

“Sunday print editions were delivered in its markets across the U.S. but did not contain classified ads and some paid death notices, which share a common system disrupted by the malware," the Chicago-based company said.

The attack, which was reported to the FBI on December 28, 2018, disrupted newspaper delivery to Los Angeles Times subscribers, for which the company apologized in a note to readers.

As is often the case with high-profile attacks, people want to know what happened, yet the investigation remains ongoing despite some reports attributing the attack to the Lazarus Group, an advanced persistent threat (APT) group linked to North Korea. Some have been inclined to point to North Korea because an unidentified source familiar with the investigation reportedly said the malware had been identified as Ryuk ransomware, which has previously been linked to the Lazarus Group.

“While there’s plenty of speculation, there are relatively few facts available about this incident at the moment,” said Tim Erlin, VP, product management and strategy at Tripwire. “It’s unclear at this point whether this was a targeted or opportunistic attack. The impact to newspaper delivery could be collateral damage or the intended result. We should all be wary of jumping to conclusions without sufficient information in hand. The headline that grabs the most clicks may not be the most accurate.”  

Not everyone is heeding Erlin’s advice, however, which prompted Robert M. Lee, CEO and founder of Dragos Inc., to turn tweets into a blog post explaining why attribution is not transitive, particularly in the case of this malware attack.

“Shortly after Tribune Publishing lost operations and ability to print papers the press highlighted that there was a cyber attack,” Lee wrote. “The attack was highlighted as a targeted attack by a nation-state. This was all related to one anonymous insider at the company telling the media. Thus, early on I, and many others on social media, called for calm and patience while the details became public.”

What’s hot on Infosecurity Magazine?