A cyber attack on one of the oldest newspapers in the United States has damaged editorial services and advertising to such a degree that it is “unclear” when normal operations will be restored.
The Philadelphia Inquirer, the third oldest continually operating newspaper in the US, had its offices shut down and had to scramble to find temporary working space ahead of a city election. The cyber attack appears to have had a widespread impact on the paper, taking out its content management system, but workarounds have been put in place to keep the online edition up and print the standard weekday edition.
Philadelphia Inquirer operations disrupted in worst incident since 1996 blizzard
The last time the paper’s operations were impacted to anything near this degree was the winter of 1996, when a fierce blizzard kept employees from the office for two days.
The culprit in the cyber attack appears to be ransomware. Few details have been made public as of yet so there is no indication as to who the perpetrator is, but the incident reportedly began on Saturday the 13th (after the early Sunday edition had already been printed). The attack took out the paper’s content management system, but staff was apparently able to implement a workaround method to continue publishing both print and online stories for the time being.
The paper’s operations appear to be leaning on remote work to at least some degree as the offices have been vacated and a temporary newsroom has been established in Center City. The timing of the cyber attack was particularly rough as it came two days ahead of a mayoral primary and a special election for a state House seat, with no timetable established for the paper’s offices to re-open.
Though the Inquirer has admirably managed to keep its primary operations going in the wake of the cyber attack, it is unclear when things will be entirely back to normal. There appear to be ongoing issues with the paper’s classified ads, with the normal section not included with the Monday and Tuesday editions of the paper (though the online classified listings appear to be functioning normally).
It is also still unknown if subscriber or employee personal information was compromised in the cyber attack. The paper’s network security vendor, Cynet, notified it of anomalous activity beginning on Thursday the 11th. However, there was no apparent impact to operations until Saturday morning, when staff began having trouble with the content management system. The regular Sunday print edition had to be suspended, though it appeared online as an “e-edition.”
The issues with the classified ads might go beyond revenue loss for the paper as the section is used for obituaries, wedding announcements, government notices, court notices and name changes among other public advisories. The paper said that it had no plans to issue refunds to subscribers as the standard Sunday print edition for May 14 was the only product that was taken off of physical brick-and-mortar shelves, but it was made available to readers online.
Cyber attack may slow publication of stories for some time
The cyber attack has left big unanswered questions about possible personal and bank information being compromised that will need to be addressed in the coming days, but at the moment the expected ongoing impact is simply that news stories may be slower to post than usual.
Jeannie Warner, Director of Product Marketing for Exabeam, notes that some clues are available in the description of the response as interested parties wait for more information from official sources: “While details are still emerging from the incident, there are a few indicators of the nature of the attack from what we know so far. For example, not allowing people to come into the office might imply local network compromise, such as ransomware spreading as new systems hook up to it. Petya/Not Petya and other similar ransomware strains have this ability to perform lateral movement. Because the investigation went from Thursday when it was initially detected until Saturday, it’s likely that the threat actors were able to do quite a bit over the weekend. Plus, this incident might be a preview of what is to come. As we get closer to the 2024 presidential elections, I expect attacks on news sources and online media to continue … It appears that the Philadelphia Inquirer had a solid strategy for their network and endpoint monitoring to initially identify the attack. However, it is also critical that organizations have the automation capabilities to streamline the entire investigation to reduce dwell time and damages.”
Newspapers are an increasingly popular target for cyber attacks, but generally not by the type of profit-seeking hackers that deploy ransomware. They are generally more of an espionage target, particularly for foreign governments looking to uncover the identities of confidential sources. Some have also appeared to be interested in establishing long-term footholds that might be used to spread misinformation at a critical moment.
Recent cyber attacks on other newspapers indicate that it might take a long time for the Inquirer’s operations to be completely restored to normal. A December 2022 attack on The Guardian disrupted its online operations for a considerable amount of time, and some of its offices ended up being closed for months during remediation. International media giant News Corporation also recently disclosed that state-backed hackers, most likely linked to China, were covertly accessing internal systems at multiple news properties for almost two years beginning in February 2020.
The Inquirer reported that it does not require multi-factor authentication for “many” of its key internal systems, indicating that it did not take any lessons from all of these recent attacks on media outlets (despite also disclosing that its reporters have been targeted by spearphishing attacks). Often, it takes a disruption of internal operations such as this to finally wake a company up.
Nathan Wenzler, chief security strategist for Tenable, notes that the potential consequences of neglecting cybersecurity are only going up as time goes on: “With so many different potential motivations and methodologies, it’s imperative that organizations are doing everything they can to stay ahead of the curve and proactively take measures to understand the state of security risk in their environment, implement strong controls and remediation practices to reduce that risk and have a response and recovery plan already in place and ready to go before a compromise takes place. Solving these sorts of issues doesn’t happen overnight, and certainly not when everything is already on fire and under attack. Being more focused on a preventative approach to cybersecurity from day one allows any organization to be better prepared to respond while reducing the overall likelihood of a headline-making breach.”
Jon Miller, CEO & Co-founder of Halcyon, adds: “While many organizations have stepped up efforts to prepare for a ransomware attack by implementing controls like anti-ransomware and endpoint protection solutions, most organizations have not done the hard work of actually preparing for a successful ransomware attack. In addition to prevention capabilities, organizations need to hold regular tabletop exercises where they can stress test their incident response plans and develop contingencies to account for disruptions to systems and critical services.”
