China-backed hackers linked to News Corp cyber attack

China has been accused of launching a cyber attack on a number of high-profile media organisations and journalists with the intent to steal data for the purposes of espionage.

Rupert Murdoch's News Corp announced on Friday that its journalists had their emails hacked and information had been stolen. Well-known media organisations under the News Corp umbrella include Dow Jones' Wall Street Journal and Barrons, News UK's The Sun and The Times, the New York Post, Harper Collins Publishers, and the New York Post.

News Corp brought in cyber security firm Mandiant to perform an initial assessment of the attack which informed the corporation's disclosure in a filing with the US Securities and Exchange Commission (SEC).

"Mandiant assesses that those behind this activity have a China nexus, and we believe they are likely involved in espionage activities to collect intelligence to benefit China's interests," said David Wong, vice president, consulting at Mandiant to IT Pro

"In January 2022, the Company discovered that one of [its cloud-based] systems was the target of persistent cyber attack activity," News Corp said in the filing. "Together with an outside cyber security firm, the Company is conducting an investigation into the circumstances of the activity to determine its nature, scope, duration and impacts. The Company’s preliminary analysis indicates that foreign government involvement may be associated with this activity, and that data was taken."

News Corp also said its systems dedicated to housing customer and financial data were not affected and has not experienced and relate interruptions to its business operations or systems. The corporation believes the situation is now contained and said it is currently unable to determine the financial cost the attack and resultant investigation will incur.

"News Corp certainly isn't the first news organisation targeted in an espionage campaign and won't be the last," said Sam Curry, chief security officer, Cybereason to IT Pro. "Other high profile attacks against the New York Times and Associated Press have made headlines in the past and I'd suspect many other news organisations are being targeted on a daily basis. If there is a silver lining with this latest cyberattack, it appears to be that News Corp minimised the data loss."

News Corp went on to say in the SEC filing that cyber attacks have been affecting businesses more frequently in recent years and that it "has experiences, and expects to contribute to be subject to, cyber security threats and activity. It said it can't make assurances that the China-linked January attack will not have a material adverse effect in the future and the countermeasures it implemented will prevent further attacks.

"Groups associated with the Chinese government have long been accused of targeting journalists – often those that report on human rights," said Toby Lewis, head of threat analysis at Darktrace. "However, from my experience, when attacks against media corporations are purely for espionage purposes, the real target is not the journalist but their in-country sources.

Democracy under fire

The attack on News Corp is the latest in a long line of cyber attacks on news organisations and follows a year in which a large number of campaigns targeting journalists were uncovered.

"The media and entertainment industry plays a vital role in forming public outlook and a national view, making it a significant target for cyberthreat actors, nation-states and hacktivists seeking visibility," said Atos in a 2021 report.

"Nation-state-sponsored threat actors may try to exfiltrate or destruct such content to expose or discourage certain publications or merely to evaluate what the organisation knows about the issue and identify its sources."

First discovered in 2016, NSO Group's infamous Pegasus spyware continued to be used against journalists across the world, including those based in the United Arab Emirates, Egypt, and El Salvador, with the latter case prompting Apple to launch a lawsuit against the Israeli creator of the spyware.

Speaking at Black Hat Europe in November 2021, Stanford University’s Marietje Schaake criticised global governments for not introducing stronger regulations on state-backed cyber attackers. She said world leaders have "barley acted" on the issues and this inaction "effectively condones" attacks on democracy.

Google also made the decision in October 2021 to provide 10,000 high-risk Gmail users, such as journalists, with access to security keys and its Advanced Protection Program in the wake of high-profile attacks.