Cuba ransomware gang claims Philadelphia Inquirer attack.
N2K logoMay 24, 2023

Cuba (no relation to the country whose capital is Havana) claimed responsibility for the ransomware attack that crippled the Philadelphia Inquirer this month.

Cuba ransomware gang claims Philadelphia Inquirer attack.

The cyberattack the Philadelphia Inquirer sustained at mid-month may now be attributed to a specific criminal group. The Cuba ransomware gang has claimed responsibility.

Cuba dumps stolen files on its site.

The Inquirer had closely held details of the attack it sustained, disclosing few details. The paper's operations were significantly disrupted, and outsiders speculated that the paper was being extorted by cybercriminals. Yesterday, BleepingComputer reports, those suspicions received some confirmation. The Cuba ransomware group on May 23rd posted data stolen from the Inquirer on Cuba's extortion portal. The files, which Cuba says it obtained on May 12th, are said to include "financial documents, correspondence with bank employees, account movements, balance sheets, tax documents, compensation, and source code."

(Update, 6:15 AM, May 26th, 2023. The Philadelphia Inquirer has looked into the data posted on Cuba's dump site and says they're bogus, that they didn't come from the paper. "We have seen no evidence to date that any data related to The Inquirer has been shared online," Inquirer Publisher and CEO Lisa Hughes told the Register. Cuba has since taken the files down from its site. Investigation continues.)

A Russian front group with no connection to Cuba proper.

As CISA points out, the Cuba gang (formerly sometimes known as "Fidel," and prone to use illustrations of Fidel and Che in its self-presentations, complete with trademark stogies) has nothing to do with Cuba, the Caribbean nation. It's been active since 2019, and seems to be a Russian operation. One of its characteristic tells has been to terminate when it detects a Cyrillic keyboard, which has long been behavior associated with the Russian underworld. Cuba, however, is widely believed to be a state-directed operation. TechCrunch laid out the case for this attribution at mid-month, basing its report on research by BlackBerry and Palo Alto Networks' Unit 42. It appears to be another in a long line of deniable fronts. Cuba has been heavily engaged against Ukrainian targets since the early days of Russia's war.

Lessons in incident response.

Jeannie Warner, Director of Product Marketing, Exabeam, offered some informed speculation on how the attack might have unfolded. "While details are still emerging from the incident, there are a few indicators of the nature of the attack from what we know so far," she wrote. "For example, not allowing people to come into the office might imply local network compromise, such as ransomware spreading as new systems hook up to it. Petya/Not Petya and other similar ransomware strains have this ability to perform lateral movement. Because the investigation went from Thursday when it was initially detected until Saturday, it’s likely that the threat actors were able to do quite a bit over the weekend. Plus, this incident might be a preview of what is to come. As we get closer to the 2024 presidential elections, I expect attacks on news sources and online media to continue."

In general, she commends the Inquirer for being prepared to detect and respond to an attack. "It appears that the Philadelphia Inquirer had a solid strategy for their network and endpoint monitoring to initially identify the attack." In such response Warner sees a clear role for automation. "However, it is also critical that organizations have the automation capabilities to streamline the entire investigation to reduce dwell time and damages. Oftentimes it is a matter of how many attackers there are in a network, how long they have had access, and how far they have gone rather than if the attackers are there in the first place. Combining user entity behavior and analytics (UEBA) to identify anomalous behavior with automation in response — such as triggering multi-factor authentication (MFA), rotating passwords, etc. — can speed improvement and limit the spread faster than only triggering escalation and notifications. I want to commend the Philadelphia Inquirer for their swift incident response processes, and engaging a third-party for forensic investigation. There are still threats looming, and a lot of adversaries will attack your infrastructure while it's at its weakest. By being prepared, it’s likely the company will be able to mitigate some of the damages.”