Major News Outlets Attacked in Apparent Coordinated Campaign

This time it’s not about some Twitter account being hacked but serious business: It was major news when on January 30 The New York Times revealed that it had been hacked, with users passwords and various email accounts compromised. Today the Wall Street Journal stepped forward and announced that its computer systems had been infiltrated. The Journal claims “The U.S. Federal Bureau of Investigation has been probing these media incidents for more than a year.” Quite clearly there is a pattern here.

Although it may be easy to jump to (wrong) conclusions, especially regarding attribution of these attacks, a number of disturbing facts remain:

  • Many actors have an interest in knowing what stories will be published in advance, ranging from stock brokers to nation states
  • Revealing reporters’ sources by way of hacking into their accounts may have dire consequences for the sources, including torture and death. Most countries have laws protecting them for this very reason, but hacking circumvents all protection.
  • News outlets are rather small companies with limited budgets and limited resources for protecting their networks against determined attackers
  • News organizations are extremely vulnerable to attacks in which malicious code is supplied to employees by way of email attachments or links in email. Reporters use email and online sources all the time. It’s part of their daily business.

What can news and other organizations do to protect themselves?

By now it should be clear that relying only on endpoint security in a standard configuration is not enough to stop determined attackers with enough resources and skills. We need additional controls and monitoring to defend against them. Remember, they can try a thousand times and need to be successful only once. In defense we need to be successful every time. Watching who accesses data and from where, monitoring network traffic, and being suspicious about unusual activities (who exactly in your network is supposed to upload gigabytes of data to somewhere on the Internet?) are key to detecting and blocking such attacks. A security information and event management (SIEM) solution can be helpful there, especially if your human resources for monitoring are limited.

How many publications outside the United States have been victims of similar attacks? It’s very likely publications around the globe are being attacked or “pwned” as I’m writing this. You may want to check for anything unusual and protect against attacks that could hit you as well.