A cyber attack on multinational media giant News Corp targeted dozens of Wall Street Journal (WSJ) reporters and was conducted by suspected Chinese hackers, according to an investigation by leading cybersecurity firm Mandiant.
The purpose of the cyber attack appeared to be espionage, with information exfiltrated from email and Google Drive accounts since at least February 2020. Mandiant believes government-backed Chinese spies conducted the operation to gather intelligence based on the information that was targeted.
Chinese hackers suspected of spying on “dozens” of WSJ reporters for years
Mandiant is classifying the incident as a “persistent cyber attack” based on the lengthy breach window. The WSJ reporters had emails and Google Docs uploads surveilled by the Chinese hackers for about two years, with the attackers observed searching for items related to the Chinese government and developments in the country. Most of the reporters and editors that were breached specialized in covering China.
Investigators are still reviewing forensic data to determine exactly what was exfiltrated, but journalists are often targeted by nation-state hacking teams and for that reason often have a policy of not mentioning sensitive information in unencrypted email accounts. WSJ has briefed the journalists that were involved; for its part, a spokesperson for the Chinese Embassy denied any knowledge of the incident.
The breach was apparently restricted to the work email accounts and inter-office file sharing of reporters, with no financial or customer information thought to have been accessed by the Chinese hackers. News Corp said that it is sharing information about the cyber attack with other news agencies that might also have been targeted by this same team. In addition to WSJ, News Corp owns a number of other major media companies: HarperCollins, News UK and The New York Post.
This is not the first time Chinese hackers have stealthily infiltrated a major American newspaper and eavesdropped for an extended period of time. In 2013, a state-backed team was discovered lurking in the systems of the New York Times and gathering information on reporters covering then-premier Wen Jiabao’s financial dealings. The Chinese hackers reportedly entered via malware and were present in the paper’s network for four months. The year prior, Bloomberg was also thought to be breached by a state-backed team spying on reporters covering then-vice president Xi Jinping. Incidents of Chinese hackers targeting individual American journalists with cyber attacks date back to at least 2008.
Cyber attacks covered by layer of plausible deniability
Highly skilled state-backed hacking teams generally do not leave “smoking gun” evidence that something was their work; inferences are made based on language used in malware and other software scraps they leave behind, previously observed patterns and techniques, the specific information they are after, digital forensic tracing of the attackers’ movements, and so on. This is another case in which Mandiant attributes the attack to Chinese hackers with a certain level of confidence, but not with enough proof to formally make a charge against the Chinese government. Naturally, the governments in question also never admit to responsibility and usually vehemently deny all charges.
As Tim Erlin, VP of Strategy at Tripwire, observes, the language used reflects this perpetual lack of certainty: “Cyber attack attribution is extremely difficult, and while the casual reader may draw the conclusion here that China is responsible (which may be true), it’s worth noting the language that Mandiant uses. Mandiant states that “those behind this activity have a China nexus” and that “they are likely involved in espionage activities to collect intelligence to benefit China’s interests.” The statement does not go as far as pointing to the Chinese government directly. The term “China nexus” and the phrase “benefit China’s interests” are both ways of softening the conclusion. In these types of reports, language matters … On its surface, this seems like the kind of incident the newly formed Cyber Safety Review Board might investigate.”
Hackers targeting journalists are usually looking for intelligence, such as anonymous sources leaking information to the press or information about their economic rivals or adversaries. The cyber attack on WSJ was revealed shortly after FBI director Christopher Wray gave a speech accusing China’s government-backed threat groups of running the world’s largest and most sophisticated program of information theft. He indicated that the FBI has over 2,000 open investigations into cyber attacks believed to be perpetrated by Chinese hackers. Some cybersecurity experts in private industry, such as Paul Martini, Co-Founder and CEO at iboss, agree that this is just an early act in a much larger long-term campaign: “This is an early example of what we believe will be a broader escalation of cyberattacks by nation state actors in the coming year. Just days ago the FBI labeled Chinese cyber aggression more ‘brazen and damaging’ than ever before and we’re seeing that play out in real time. This is likely an intelligence gathering campaign that could have broader impacts on US journalism and politics for years to come.”
The Department of Justice opened a “China Initiative” under the Trump administration to target Chinese hackers and cyber attacks originating from Beijing, but the program appears to have faltered as it switched focus to targeting foreign national academics working in the United States and had issues with closing out successful prosecutions.
Not much information about the technical details of the cyber attack is available. The public only learned of it due to a required Securities and Exchange Commission (SEC) filing by News Corp, which did not disclose anything revealing other than the possibility of a third-party cloud service provider of some sort being the entry point. The possibility that there was a vulnerability in some sort of tool commonly used by journalists may be what prompted News Corp to voluntarily contact outside news organizations to share details of the attack.
Paul Farrington, chief product officer for Glasswall, sees this as another prompt for a paradigm shift to “zero trust” security (a move that the US government has now committed to for federal agencies): “Attacks like this demonstrate that a traditional castle-and-moat approach to network security leaves organisations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. Without a zero trust approach, organisations run the risk of attackers having a free reign across a network once they are inside.”
Hacking originating from Russia tends to dominate news cycles, but incursions into US government agencies and tech firms by Chinese hackers have been increasing in recent years. In December, a Beijing-backed attack campaign was attributed to the breach of 13 total organizations including defense and technology firms. The attackers exploited a vulnerability in a Zoho software product in use by all of these organizations, and Microsoft’s security team pegged Chinese nation-state actors due to the operational tactics. Naturally, the Chinese Embassy in Washington refused to address the charges.