Cyberattack at the Philadelphia Inquirer.

The Philadelphia Inquirer was hit by a cyberattack last week which interrupted its news publications. “The Inquirer had been unable to print its regular Sunday newspaper, and it was not clear until late Sunday afternoon that it would be possible to print Monday’s editions of The Inquirer and Daily News newspapers. Online posting and updating of stories to Inquirer.com continued, though sometimes slower than normal,” the Inquirer wrote. The paper reported that employees would be barred from entering its main office which could impact the paper’s coverage of the Democratic primary for the mayoral race.

News organizations have distinctive vulnerabilities that make them attractive targets.

Ismael Valenzuela, VP of Threat Research & Intelligence at BlackBerry, explains that news organizations make a great target for ransomware in particular as they are affected more than most companies by downtime as they lose money when they can’t meet deadlines. “Cybercriminals in general, and ransomware groups in particular, are very interested in attacking targets where the impact in terms of downtime and loss of revenue is very high. For a media company like the Philadelphia Inquirer, missing a print cycle is damaging, especially at a critical time in an election period, and attackers know this.”

Jake Milstein, former News Executive at CBS, Fox, and NBC, explains that cyber attacks against news agencies are nothing new, even going so far as to call the cyber threat actors “terrorists.” He writes “Journalism has long been the target of criminals. In disrupting the flow of news, criminals are robbing the public of urgent and necessary information. It is no surprise that a ransomware terrorist would want to attack a news operation, because it is an attack on the American way of life. News organizations across America should take the cyber threat as seriously as they take physical threats and never let the criminals stop journalists from doing their jobs.”

The history of the incident. 

The Philadelphia Inquirer was first alerted to suspicious activity on Thursday May 11th by their third-party cyber security vendor. “But the weekend skeleton crew discovered Saturday morning that access to The Inquirer’s content-management system was down. After a few hours the newspaper was able to use workarounds to post new articles on their website. It was forced to publish an earlier edition of the Sunday newspaper, created on Friday, as they were unable to create a workaround for printing a finalized edition on Sunday. The Inquirer has alerted the FBI’s Philadelphia field office, and the FBI has yet to comment on the attack as of the writing of this article.

Industry experts on the implications of the attack.

Jeabbie Warner, Director of Product Marketing for Exabeam assessed that the attack was possibly a ransomware attack based on the Inquirer’s response. “While details are still emerging from the incident, there are a few indicators of the nature of the attack from what we know so far. For example, not allowing people to come into the office might imply local network compromise, such as ransomware spreading as new systems hook up to it. Petya/NotPetya and other similar ransomware strains have this ability to perform lateral movement. Because the investigation went from Thursday when it was initially detected until Saturday, it’s likely that the threat actors were able to do quite a bit over the weekend. Plus, this incident might be a preview of what is to come. As we get closer to the 2024 presidential elections, I expect attacks on news sources and online media to continue.” 

Mike Hamilton, Founder and CISO of Critical Insight, adds "Cyber attacks against media are becoming more frequent, usually in the context of conflict – for example cyber activists taking over broadcast channels in Russia to message the population. Especially during an election it is possible that activists or political opponents are involved, but it is more likely that the Inquirer has been victimized by criminals. This is evidenced by the fact that none of the outlets have been used for misinformation or propaganda and the attack is clearly disruptive.”