The cyberattack that took place at the Philadelphia Inquirer earlier this month has now been attributed to a specific criminal group. The Cuba ransomware gang has claimed responsibility for the attack. The Inquirer had not released many details about the attack prior to the announcement, but operations were significantly disrupted, and it was speculated that the paper was being extorted by cybercriminals.
Yesterday, BleepingComputer reported that suspicions about the cyberattack received some confirmation. The Cuba ransomware group on May 23rd posted data stolen from the Inquirer on Cuba’s extortion portal. The files, which Cuba says it obtained on May 12th, are said to include “financial documents, correspondence with bank employees, account movements, balance sheets, tax documents, compensation, and source code.”
As CISA points out, the Cuba gang (formerly known as “Fidel”) has nothing to do with Cuba, the Caribbean nation. It has been active since 2019 and seems to be a Russian operation. TechCrunch laid out the case for this attribution at mid-month, basing its report on research by BlackBerry and Palo Alto Networks’ Unit 42. It appears to be another in a long line of deniable fronts. Cuba has been heavily engaged against Ukrainian targets since the early days of Russia’s war.
Jeannie Warner, Director of Product Marketing at Exabeam, offered some informed speculation on how the attack might have unfolded. “While details are still emerging from the incident, there are a few indicators of the nature of the attack from what we know so far,” she wrote. “For example, not allowing people to come into the office might imply local network compromise, such as ransomware spreading as new systems hook up to it. Petya/Not Petya and other similar ransomware strains have this ability to perform lateral movement. Because the investigation went from Thursday when it was initially detected until Saturday, it’s likely that the threat actors were able to do quite a bit over the weekend. Plus, this incident might be a preview of what is to come. As we get closer to the 2024 presidential elections, I expect attacks on news sources and online media to continue.”
In general, she commends The Inquirer for being prepared to detect and respond to an attack. “It appears that The Philadelphia Inquirer had a solid strategy for their network and endpoint monitoring to initially identify the attack.” In such response Warner sees a clear role for automation. “However, it is also critical that organizations have the automation capabilities to streamline the entire investigation to reduce dwell time and damages. Oftentimes it is a matter of how many attackers there are in a network, how long they have had access, and how far they have gone rather than if the attackers are there in the first place. Combining user entity behavior and analytics (UEBA) to identify anomalous behavior with automation in response — such as triggering multi-factor authentication (MFA), rotating passwords, etc. — can speed improvement and limit the spread faster than only triggering escalation and notifications. I want to commend the Philadelphia Inquirer for their swift incident response processes and engaging a third-party for forensic investigation. There are still threats looming, and a lot of adversaries will attack your infrastructure while it’s at its weakest. By being prepared, it’s likely the company will be able to mitigate some of the damages.”
The lessons learned from this attack are clear: organizations need to be prepared for cyberattacks and have a solid strategy for detecting and responding to them. Automation and UEBA are critical tools for reducing dwell time and damages. The Philadelphia Inquirer’s swift response process and engagement of a third-party for forensic investigation show that they were well-prepared for the attack. Attacks on news sources and online media are also likely to continue as we get closer to the 2024 presidential elections. Organizations should be aware of these threats and take proactive measures to protect themselves.