Breach Notification , Cybercrime , Cyberwarfare / Nation-State Attacks
News Corp Targeted in 'Persistent Nation-State Attack'
Investigators at Mandiant Say the Incident Has a 'China Nexus'Multinational media corporation News Corp was the target of a cyberattack that exposed emails and employee documents - including those belonging to journalists, the company confirmed on Friday. To investigate, News Corp has hired cybersecurity firm Mandiant, which says the attack has a "China nexus."
See Also: Gartner Guide for Digital Forensics and Incident Response
News Corp, which owns The Wall Street Journal and its parent Dow Jones, the New York Post, MarketWatch and Realtor.com, along with U.K. news outlets, among others, says the incident was detected on Jan. 20, and affects a "number of publications and business units," including the Journal and the Post.
It reported the attack in a securities filing on Friday, indicating that it believes data was exfiltrated. News Corp, which is owned by billionaire media mogul Rupert Murdoch, says its financial and customer data was not affected and that it has consulted law enforcement authorities.
"Mandiant assesses that those behind this activity have a China nexus, and we believe they are likely involved in espionage activities to collect intelligence to benefit China's interests," says David Wong, vice president of incident response at Mandiant, in a statement shared with Information Security Media Group.
Investigators at Mandiant were unable to share additional information on their investigation when asked for comment on Friday.
Liu Pengyu, a spokesperson for the Chinese embassy in Washington, D.C., tells ISMG: "I'm not aware of the detailed information ... mentioned in those reports. I reiterate that China firmly opposes and combats cyberattacks and cyber theft in all forms. This position is consistent and clear. China is a staunch defender of cybersecurity, and has long been a main victim of cyber thefts and attacks."
Pengyu adds: "Identifying the source of cyberattacks is a complex technical issue. We hope that there can be a professional, responsible and evidence-based approach to identifying cyber-related incidents, rather than making allegations based on speculations."
The Journal's reporting on Friday quotes Almar Latour, CEO of Dow Jones and the paper's publisher, saying: "We are committed to protecting our journalists and sources. We will not be deterred from our purpose - to provide uniquely trusted journalism and analysis. We will continue to publish the important stories of our time."
Email to Employees
On Friday, News Corp shared a copy of an email sent to employees by the company's CTO David Kline and CISO Billy O'Brien.
"Cyberattacks from China on global businesses are all too frequent in today's connected environment. … While News Corp has protections in place, we appear to have been the target of persistent nation-state attack activity that affected a limited number of our employees. Even though the vast majority of our people's emails and documents were not the target of this attack activity, we take seriously any attack on our organization and our employees, including our journalists."
News Corp security leaders say they "promptly took steps to contain the activity" and that they believe "the threat activity is contained."
They say business email accounts and documents from News Corp headquarters New Technology Services, Dow Jones, News U.K. and the New York Post were affected by the breach.
"Our highest concern is the protection of our employees, including our journalists, and their sources. We are working closely with the leadership teams of the affected businesses to inform those employees whose accounts were impacted and help them take appropriate measures," the email says. "To our knowledge, this is not targeted at our other business units, including HarperCollins Publishers, Move, News Corp Australia, Foxtel, REA, and Storyful.
"We will not tolerate attacks on our journalism, nor will we be deterred from our reporting, which provides readers everywhere with the news that matters. We believe it is important that other media organizations be made aware of this threat in order to take appropriate precautions."
Wray Speaks on Beijing
The news comes just days after FBI Director Christopher Wray, speaking from the Ronald Reagan Presidential Library and Museum in California, said: "When we tally up what we see in our investigations - over 2,000 of which are focused on the Chinese government trying to steal our information or technology - there is just no country that presents a broader threat to our ideas, our innovation and our economic security than China."
Wray said the FBI opens a new counterintelligence case against China about twice per day. The country's strategy, he said, is "especially dangerous" because it involves economic espionage on multiple fronts, and Chinese hackers are capable of using "every available resource to try to steal" technologies.
Journalists remain a top target for state-backed hackers, due to their source collection and access to sensitive information. This is not the first time that journalists at top-tier publications such as The Wall Street Journal or The New York Times have been targeted.
China has denied allegations that it has conducted such cyberattacks.
Nonetheless, between 2020 and 2021, there were tensions between the U.S. and China on press credentials for reporters operating within China. The countries agreed to ease visa restrictions in November 2021.
Targeting Sources
Cybersecurity experts also confirm to ISMG that when journalists are targeted by state-backed actors, oftentimes the true target is indeed their sources.
Toby Lewis, global head of threat analysis at the security firm Darktrace, tells ISMG: "The problem is: The methods used by these groups are always changing. Traditional defenses that have been used by many media corporations, newspapers, online magazines and broadcasters for the last 20 years can [only] stop known attacks."
Lewis adds: "The reality is that media corporations will be under constant attack from the most sophisticated attackers every minute of every day. Reliable and trustworthy sources of media and information are essential, and that is why we have seen an uptick in media organizations partnering with AI to defend journalists and critical systems."
Others contend that there will be new developments in this News Corp case.
"Cyberattack attribution is extremely difficult, and while the casual reader may draw the conclusion here that China is responsible - which may be true, it's worth noting the language that Mandiant uses," says Tim Erlin, vice president of strategy at the security firm Tripwire. "The statement does not go as far as pointing to the Chinese government directly."
Erlin also says: "On its surface, this seems like the kind of incident the newly formed Cyber Safety Review Board might investigate."
The review board, which was officially announced by the Department of Homeland Security on Thursday, consists of 15 cybersecurity experts from federal agencies and the private sector. It is modeled after the National Transportation Safety Board, which investigates aviation accidents and other transportation mishaps.
+++
Update [Feb. 7, 9 a.m.]: This story has been updated to include comments from the Chinese Embassy in Washington, D.C.