News Corp. — which owns the publishers of The Wall Street Journal and the New York Post — announced the discovery of a "persistent cyberattack" targeting a limited number of employees. An official with a cybersecurity firm working with the mass media conglomerate said the attack has links to China.
The company, the publishing arm originally founded as part of the Murdoch family's media empire, disclosed the breach Friday in a financial filing to the Securities and Exchange Commission as well as through an internal email to employees.
According to News Corp., the digital attack was discovered in January, at which point executives contacted law enforcement and a private cybersecurity company, Mandiant, for assistance.
The investigation is ongoing, but perhaps most concerning is News Corp.'s assertion that the culprits have ties to a foreign government.
While Mandiant did not explicitly link the cyberattack to the Chinese government, David Wong, the vice president for incident response at Mandiant, said in a statement that the cybersecurity firm's analysts have concluded that "those behind this activity have a China nexus." They were spying or "involved in espionage activities" to gather information "to benefit China's interests," he added.
The Chinese government has a documented track record of launching persistent, sophisticated cyberattacks on businesses, academia, research institutions and government agencies, often with the intention of stealing information that would benefit Chinese interests.
During the Trump administration, the Justice Department launched a "China initiative" aimed at cracking down on what it described as a growing tide of Chinese espionage and intellectual property theft costing businesses around the world hefty sums.
Just this week, FBI Director Chris Wray told an audience at the Ronald Reagan Presidential Library and Museum that the bureau launches a counterintelligence investigation linked to the Chinese government "about every 12 hours or so." Currently, the FBI has over 2,000 investigations focusing on "the Chinese government trying to steal our information and technology," he said.
In addition to any business assets News Corp. owns that might be of interest to China, journalists with sensitive information and contacts with knowledgeable sources make for attractive targets for espionage. Chinese hackers have gone to great lengths in the past to track, in particular, Chinese dissidents, including through attacks pretending to be hosting popular websites, including the New York Times homepage. Security officials within China have plans to deploy an extensive surveillance system to track journalists, international students and other people of interest.
News Corp. has dispatched security experts to work with individual journalists they believe may have been affected and "a limited number of business email accounts and documents from News Corp headquarters, News Technology Services, Dow Jones, News UK, and New York Post," according to the internal email sent to employees. News Corp. concluded that some data was stolen but did not comment further on which information or how much.
Neither News Corp. nor Mandiant shared further information about how the hackers got in, though in the SEC filing, News Corp. referred to both "network and information systems" as well as "third-party providers for certain technology and 'cloud-based' systems and services," one of which was the target of the attack. If a third-party cloud provider was the target, the activity could be linked to a broader supply chain-based attack, which could mean other clients using that technology could be vulnerable as well.
"We believe it is important that other media organizations be made aware of this threat in order to take appropriate precautions, and we are providing technical details of the attack to the Media Information Sharing and Analysis Organization," News Corp. Chief Technology Officer David Kline and Chief Information Security Officer Billy O'Brien wrote in the internal email to staff.
Currently, News Corp. says it believes the "threat activity" has been "contained," though Kline and O'Brien did not share information about why they believed that to be the case, nor details on how long the hackers may have been inside the network.
"We will not tolerate attacks on our journalism, nor will we be deterred from our reporting, which provides readers everywhere with the news that matters," they concluded.