One of the biggest media organizations in German-speaking territories has become the victim of a sustained cyberattack over the Christmas holiday, forcing several newspapers to cancel or offer severely curtailed "emergency" editions. The attack, which is still ongoing, began last Tuesday.
The Funke Media Group, which publishes dozens of newspapers and magazines and runs several local radio stations and online news portals, said on Monday that some 6,000 of its computers had been "potentially infected" in the attack, which had affected several central computer systems at all its locations in Germany.
Andreas Tyrock, editor-in-chief of the Funke-owned Westdeutsche Allgemeine Zeitung (WAZ), added in a statement that the "colossal" attack had left the data on its IT systems encrypted and made them "unusable for now."
All IT systems had to be powered down to prevent further damage, which means that "all editorial systems and the entire technology for newspaper production had been switched off, and even remotely normal work is currently impossible," Tyrock wrote. "The newspaper pages are essentially built by hand, in many places from home."
A quarantine network
The group would not comment on media reports that the hackers had demanded a ransom to be paid in Bitcoin. State prosecutors and police are currently leading the investigation, while Funke said it is has scrambled a team of IT experts to build a "quarantine network" of untainted computers and a skeleton IT system to continue working.
Such attacks are nightmare scenarios for a media company like Funke, which employs some 6,000 people across Germany, but trying to stave them off has long since become a routine duty, experts say.
"This happens constantly, and now it's established itself as a business model," said Thorsten Urbanski, head of communications at international cybersecurity firm ESET. According to Urbanski, international networks of hackers, who often don't even know each other, can work together on an attack — in teams of anywhere between three and 20.
"These are professional structures, sometimes with state actors behind them," he told DW. "It's highly lucrative, and the division of labor is organized: One team develops it, another distributes it, then there's a payment service that processes it, usually by bitcoins."
All it takes to let in a "ransomware attack" is for one employee to open the wrong email attachment. Often these emails look innocuous and plausible enough — a common disguise is a job application containing a Word document or a PDF labeled as a resume, but such files can often come as invoices or links to dropboxes.
"It's actually not that sophisticated," said Christian Beyer of the German company Securepoint. "You open the Word document, the document contains a macro, and the macro downloads the malware from the internet." A macro is a kind of shorthand instruction for the computer.
The malware then installs itself on the employees' computer and finds a way to infiltrate a whole network. To make things worse, such programs can lie dormant for months before they activate and start encrypting data, which means even the company's IT department often cannot trace the initial "infection."
There are plenty of security companies that create tools to help filter out such emails, but all it takes is one human error to let the malware in. "The challenge is to make it so difficult that the operation isn't worth it," says Urbanski.
Beyer says the type of hack Funke suffered is a relatively old ploy: "We've been seeing attacks like this since about 2011 or 2012," he told DW. "Of course they've become more sophisticated over time, and found different weak points." At first, such attacks targetted parts of an IT system that were accessible from the internet — now they work more and more with trying to trick employees. "There are thousands of attacks every day," he said.
Ransom attacks can be dangerous: In September 2020, a cyberattack knocked out critical systems at a University Hospital in Düsseldorf, western Germany. According to media reports, the hackers actually meant to attack the city's university. They reportedly released the de-encryption code when police told them that lives were in danger. In the Düsseldorf case, the initial infection is believed to have occurred nine months earlier.
But the case made clear that hospitals, often cash-strapped, are potentially soft targets for cyberattacks — which is why the German government is investing 15% of its new budget for digitalizing the health care system into IT security.
What remains unclear is exactly how often such ransom demands are met. "Those who pay don't talk about it," said Beyer. "But it's not advisable, because you're marked then. People who pay once will pay again."
And yet it's understandable that many companies do pay: The clean-up operation that Funke has embarked on — effectively setting up a separate, untainted IT system — can be a huge drain on labor and resources, which for a small or medium-sized company can be devastating. And of course, launching such an attack over Christmas, when many workers are on holiday, applies even more pressure by dragging out the process even longer.