Collateral Damage

Last week hackers attacked the infrastructure of Tribune Publishing, delaying the printing and distribution of newspapers across the country.

Newspapers that were affected include the Chicago Tribune, Baltimore Sun, Ft. Lauderdale Sun-Sentinel and the west coast editions of the Wall Street Journal and the New York Times, all of which are printed at the Los Angeles Times Olympic printing plant in downtown Los Angeles.

The IT staff at the Union-Tribune and LA Times enlisted the help of the FORMER owner, Tribune Publishing trying to quarantine the malware but it remained ahead of them.

The newspapers were eventually printed and distributed the next day – not a great situation for a newspaper.

I highlight former owner here because there was a lot of collateral damage. The attack target may have been biotech billionaire Dr. Patrick Soon-Shiong, but by attacking the printing plant and its network, they also took out the west coast editions of the Wall Street Journal and New York Times along with the papers of Tribune publishing across the country.

Current tips seem to point to the Ryuk family of ransomware, a tool mostly used by hackers for surgical strikes like this as opposed to spray and pray attacks that we typically see.

Soon-Shiong bought the Los Angeles Times and San Diego Union-Tribune last year for $500 million.

What is important to consider here is attackers are sometimes completely willing to disable people with whom they have no quarrel in order to get to the company that they are interested in. This is different from old-style attacks where a robber comes face to face with their victim. The old school robbery is much more personal; collateral damage from this type of attack is much more easily done by hackers.

As all organizations use more shared infrastructure (aka cloud services), the likelihood of becoming collateral damage goes up.

The Tribune said that the personal data of their subscribers was not stolen and that makes sense if the attack was against their printing and delivery network. However, the attack could just as easily been against their circulation network and if that was the case, the story would be different.

Many times this particular ransomware attack is designed to force businesses to pay a very large ransom – sometimes in the multiple hundreds of thousands of dollars. On a shared platform you may not even have the option to pay the ransom and if the attacker asks for $250k or $500k ransom, companies are likely to have a big “gulp” moment.

Businesses need to add the “collateral damage” scenario to their cyber incident response plans and test exercises.

For more information on the attack, see the New York Times, the San Diego Tribune or the Associated Press.