The Guardian breach and news media as targets.

The Guardian has confirmed that it sustained a ransomware attack last month.

Attackers access UK employees’ data.

The Guardian Media Group’s CEO Anna Bateson and the Guardian’s editor-in-chief Katharine Viner sent an email to employees on Wednesday stating that the firm had suffered a “highly sophisticated cyber-attack involving unauthorised third-party access to parts of our network.” The attackers were able to access personal data of the company’s UK employees. Graham Cluley explains that these data included “names, addresses, dates of birth, National Insurance numbers, bank account details, salary information, and identity documents such as passports.”

Industry comment on the Guardian breach and the threat to media outlets.

Joe Gallop, Intelligence Analysis Manager at Cofense, offered the following comments:

“Journalists and news organizations became increasingly popular targets for cybercriminals in 2022. While details are still emerging about the ostensible ransomware attack on The Guardian, there has been an ongoing effort from state-sponsored threat actors from North Korea, China, and Iran to gain access to journalists’ sensitive information and curtail free speech. The attack on The Guardian, unfortunately, follows a familiar trend – threat actors most often use phishing as a preliminary step in multi-step ransomware operations, rather than a direct delivery mechanism for ransomware itself. 

“Tools used to establish a pervasive presence and deploy ransomware in the targeted organization’s network may be loaded via the phishing campaign’s malware payload, but only at the command of a human attacker after the automated phishing chain is complete. Once inside, a threat actor can use any of a large variety of custom and commodity tools to move laterally, escalate privileges, establish persistence and deliver the final ransomware payload. By the time an actual ransomware binary is detectable within a targeted organization’s network, it may be too late to mitigate the impact. Thus, it is more important than ever to catch a ransomware operation at the phishing stage, before it is even identifiable as a ransomware attack.”

Adrien Gendre, Chief Tech and Product Officer and Co-Founder at Vade, stated:

“Phishing is a quick and easy way in for hackers and one of the primary methods of distributing ransomware. Knowing a phishing attack may have been responsible for the data breach The Guardian experienced makes it increasingly concerning that threat actors are able to successfully target major media organizations through flaws in email security preparedness and/or training.

 “While their motivations are unknown, the criminals behind this cyberattack accessed employee data, which could not only lead to the data being sold or published on the dark web but also result in targeted attacks on employees. Many Guardian employees are journalists, a highly targeted group due to their proximity and access to high-profile sources and information, making them particularly vulnerable to additional attacks.”

Dan Vasile, Vice President, Strategic Development, BlueVoyant, commented: 

“The ongoing fallout from the recent ransomware attack on The Guardian shines an already bright light on the media industry’s cybersecurity challenges. Distributed and fragmented technology ecosystems have developed as a result of the ever changing media consumer landscape.

“The media industry is sometimes targeted because of the influence it holds. Media companies get a high volume of traffic and are trusted by their audiences. This puts extra pressure on the shoulders of media companies, especially news organizations. The domino effect is in full force: Thomson Reuters, The New York Post, Fast Company, and now The Guardian, among countless previously reported breaches. 

“The industry should be put on even higher alert following the ransomware attack on The Guardian, which resulted in an internal network compromise that led to severed access to corporate services. The company has announced that personal details of UK staff members were accessed by the attackers. This development is concerning, because it exposes employees to further security risks from spear phishing campaigns or impersonation.”