Media conglomerate News Corp, the parent company of an array of television and print outlets including the Wall Street Journal and Fox News, has reported that a security breach first discovered in early 2022 stretches back to February 2020 and impacted a broad array of the company’s subsidiaries.
The security breach included theft of internal documents and access to employee email accounts, and auditor Mandiant believes that the attackers were a state-backed Chinese espionage team. While the average “dwell time” for attacks of this sort remains very long, the News Corp breach window was much longer than normal.
Mandiant points to state-backed Chinese hackers as culprit
At nearly two years of dwell time, the window on this security breach is well above the average even when advanced APT groups are involved. It went on for so long that security incidents at other News Corp companies, such as the New York Post and Fox News, took place concurrently but do not appear to be related to the espionage campaign.
The attackers, believed to be at least one of China’s state-backed teams, lurked and exfiltrated a variety of sensitive information rather than attempting to leak data or deploy ransomware. China has over a dozen groups that are known to participate in these sorts of activities, some of which have a special focus on attacking US media organizations. State-backed actors are usually seeking to intercept information that might be leaked to the media and to identify anonymous sources when they break into news organizations.
Security breach cause unknown, News Corp employees most impacted
The first news of this security breach came in early 2022, as News Corp made a mandatory disclosure of it as part of a required Securities & Exchange Commission (SEC) filing. The company also announced that it was bringing in leading security firm Mandiant to do forensics and investigate. The more current information comes from a data breach notification letter sent out to News Corp employees on February 22.
The letter advises that only some personnel had their email accounts accessed or business documents taken by the attackers, but in some of these cases some very sensitive personal information was involved: bank account information for paychecks, passport and driver’s license numbers, and Social Security numbers may have been taken by the attackers. The Wall Street Journal, New York Post, and United Kingdom-based news operations such as The Sun have been confirmed to be impacted by the security breach.
Mandiant has fingered China’s state-sponsored hackers based on the information that they focused on stealing, which apparently was related to the government’s geopolitical interests. The incident comes amidst a renewed national focus on the prospect of Chinese spying, which has manifested in proposed bans on TikTok amongst other actions.
There is little public information about how the security breach initially took place at this point, but extremely long dwell times are very often a case of employee credentials being compromised (allowing attackers to repeatedly access networks while evading regular security sweeps that look for anomalous behavior).