Employees of News Corp have received security breach notifications that indicate the company was compromised from February 2020 to January 2022, during which time confidential company information and personal data was taken.
Follow-up from Mandiant indicates that a Chinese state-backed hacking team may be involved. News Corp is one of the world’s largest media companies and owns the Wall Street Journal, Fox News, The Sun, Dow Jones, the New York Post and Barron’s among other holdings.
Long-term security breach focused on exfiltration, tied to China
The news comes from data breach notification letters sent to employees, dated February 22. The notification says that a “limited number” of personnel had business documents and email accounts accessed by the attackers. In some cases this resulted in the theft of highly sensitive personal information such as Social Security numbers, driver’s license and passport numbers, and bank account information. The letter did not indicate exactly which branches of News Corp the security breach might have been limited to, but follow-up reporting indicates that the Wall Street Journal, New York Post and assorted news operations in the United Kingdom were impacted.
Some of this was previously known, as the company mentioned a “persistent” cyber attack in an early 2022 Securities & Exchange Commission (SEC) filing. The new security breach notification confirms this, however, and expands on the timeline and details about what was accessed.
Mandiant, which was brought in for forensic investigation in 2022, believes that the attackers have a “China nexus” and pursued information that was in the interest of the Chinese government’s strategic objectives. An October 2022 incident in which the New York Post was defaced does not appear to be related to this campaign, having been previously attributed to a disgruntled former employee of the paper.
There remains little information about how the security breach unfolded, but Erfan Shadabi, cybersecurity expert with comforte AG, notes that there are multiple common security oversights that groups such as these target: “There are several reasons why security teams may miss cyber-intrusions and not notice a breach for a long time:
Lack of visibility: Security teams may not have complete visibility into their network or systems, which can make it difficult to detect intrusions or unusual activity.
Poor security hygiene: If security teams are not following best practices for security hygiene, such as regularly patching systems or updating security software, they may leave vulnerabilities that attackers can exploit.
Advanced tactics: Sophisticated attackers may use advanced tactics to evade detection, such as hiding their activity within legitimate network traffic.
Insider threats: Attacks launched by insiders, whether malicious or unintentional, can be difficult to detect because the activity appears to be normal and authorised.
Lack of response planning: If security teams do not have a well-defined incident response plan, they may not know how to respond to a breach or may take too long to detect and respond to it.
Organizations need to do their due diligence, understand the true nature of the sensitive data they protect, and find the right methods to guard their data. The best approach is to protect the data itself rather than the borders around it, an approach known as data-centric protection and which includes methods such as tokenization. Tokenization replaces sensitive information with benign but meaningless tokens, so even if hackers get to your data, it is unintelligible and therefore worthless to them.”
Chinese APT group suspected as News Corp experiences ongoing security struggles
IBM/Ponemon and other security researchers have published studies in recent years indicating that the average “dwell time” for attackers after a security breach is about 200 days; the News Corp incident approaches triple that amount of time. The source of the initial breach remains unknown, but the overwhelming majority of extended breach windows such as this are caused by use of compromised login credentials allowing the attackers to fly below security radar for extended periods.
Individual News Corp branches have had their own security incidents as of late. In addition to the New York Post defacement, in 2022 Fox News also had a misconfigured database containing 58 GB of data left open to the public internet for some amount of time. This exposed the personal information of some 65,000 employees including the network’s high-profile presenters and anchors, as well as several hundred internal email addresses not meant for the public. The database was discovered by a security researcher, but it is unclear how long it was available to others prior to being addressed. In 2019, Dow Jones also experienced a misconfigured database incident that leaked a private list of 2.4 million records of “high risk” clients.
Profit-seeking criminals usually make themselves known fairly quickly in the wake of a security breach by planting ransomware and/or holding stolen data hostage. A very long dwell time is usually indicative of a state-backed espionage operation. These attackers look to compromised credentials first and foremost as they allow for both easy access and a means of evading security sweeps. Successful security operations in this area thus put a focus on stolen credentials, with a variety of tactics ranging from the simple (scanning for credential re-use in known data breaches) to the complex (implementing privileged access management schemes).
News Corp has not named the specific APT group thought to be responsible for the security breach, but Mandiant has been tracking numerous state-backed Chinese groups for over a decade and there are a range of possibilities. APT41 is a longtime surveillance-focused group that usually specializes in stealing intellectual property, but has been known to monitor media companies as well. APT31 has more of a specific focus on spying on entities that can provide information related to China’s geopolitical interests, and the country has several additional data theft groups that have also been known to do some spying in North America at times.
Media companies are an increasingly popular target for advanced state-backed hackers, particularly the high-profile outlets that tend to have connections to anonymous sources and whistleblowers (which the state hackers hope to identify). Javvad Malik, lead awareness advocate at KnowBe4, notes that defense against this level of attack often requires flexibility and creativity: “This is why protecting against attacks is so vitally important. Detecting an intruder once they are inside an organization can be very difficult, especially if they have a long game in mind and move slowly. Most organizations are usually overwhelmed with alerts on a daily basis, and even with a large number of tools, it can be difficult to isolate actual intrusions. It’s why a layered approach to detection is needed. This includes locking down workstations, limiting traffic to sensitive areas, and using honeypots or honey tokens which will often provide fewer alerts, but they will be of much greater value in identifying an attacker.”
