For its 2023 report on the state of ransomware, cybersecurity service Sophos asked 138 IT leaders at media and entertainment businesses whether they had been hit by a ransom attack in the previous year.
Almost 100 respondents, or 70% of the total, said they had.
As dire as that sounds, it represented a modest improvement: in the 2022 report, 79% of the 392 media staff questioned admitted to being attacked – a higher rate than for any other industry.
The little-noticed onslaught on news businesses became very public in late 2022 after a hack of The Guardian forced it to close its offices for weeks as it rebuilt its IT infrastructure.
Outside the news industry, ransomware attacks have also been in the headlines with the British Library hit in October, leaving users unable to access its online catalogue for months and killing its website for weeks.
Although The Guardian’s case was particularly severe, Press Gazette has spoken privately to several other publishers who say that they, too, have been targeted by hackers in recent years.
Cyberattacks on news publishers ‘happen daily’
Rob Hesmondhalgh, chief technology and security officer at publisher software as a service provider Lineup Systems, told Press Gazette cyberattacks on the news industry are “terrifyingly common”.
“They are happening constantly,” he said. “Most of them are unsuccessful, some of them are successful and become public knowledge, and some are successful and the victims probably don’t even know.”
Hesmondhalgh can speak from experience: one of his clients, Norway’s Amedia, suffered a catastrophic cyberattack in 2021 that prevented it from printing its 78 local newspapers, some of them for as long as a week.
“That was enormous,” he said. “That impacts you whilst it’s happening, it also impacts you [going forward] because people move away from you as a news source and they don’t all come back.”
George Glass, senior vice president for cyber risk at advisory firm Kroll, agreed cyberattacks on publishers are happening all the time.
“The news media itself is under constant attack, despite receiving only a minimal fraction of media coverage,” he told Press Gazette.
“Distributed Denial of Service (DDoS) attacks from hacktivists, phishing against journalists, and the frequent exploitation of vulnerabilities within the extensive digital footprint of most media organisations happen daily, often hundreds of times per day.”
What do cyberattacks on the news industry look like?
The Guardian has said its 2022 hack was most likely the result of a phishing attack – a type of cyberattack in which someone is tricked into providing sensitive credentials or clicking a link or attachment that contains malware.
In The Guardian’s case, parts of its system were hijacked by ransomware – malware that seizes data and encrypts it until the perpetrator is paid off, usually in cryptocurrency. Guardian News and Media said bank details, salaries and passport numbers of staff were compromised, and blamed the hack for delays paying its freelances.
Less than a year earlier News Corp disclosed that hackers believed to be under the instruction of the Chinese state had spent two years unnoticed inside its systems. The Times, Sun and Wall Street Journal publisher said the hackers accessed the emails and documents of staff, including journalists.
In 2019 The Sun’s computer network was targeted by Russian hackers but they did not manage to gain access.
Only last month a DDoS attack – in which a swarm of traffic is directed at a target with the goal of overwhelming its services – brought down Newsquest websites and interfered with the functioning of its content management system.
Morgan Wright, chief security advisor at cybersecurity business Sentinel One, said the media comes under attack because of “the position they hold in society”.
He told Press Gazette: “From nation-state actors and activists to terrorist groups and transnational criminal groups, the media is one of the few entities that is a common target for bad actors…
“Depending on the motivation, the attacks could be retribution for a perceived slight (as in the case of North Korea attacking Sony), testing of new tactics and techniques (TV5Monde in France), or an active measures campaign (a targeted attack designed to incorrectly assign attribution to another group).”
News site archives are used daily by people around the world for everything from double-checking claims on social media and settling pub arguments to providing the sources on which Wikipedia is based. They’re also integral to the journalistic process itself, with reporters taught to check their publication’s clippings before embarking on writing a story. But hacks can put editorial systems at risk.
Christiaan Beek, senior director for threat analytics at cybersecurity platform vendor Rapid7, said the slew of elections due around the world this year makes the media “a prime target for nation-state actors looking to spread misinformation or enact revenge when they’re shone in a negative light”.
Such attacks have occasionally happened, albeit usually in more trivial ways: in 2022 a New York Post employee used their CMS access to post headlines attacking a Republican gubernatorial candidate. A month earlier a hacker caused Fast Company to send its Apple News subscribers an offensive notification. More impactfully, some Russian smart TV schedules were hacked to display anti-war messages in May 2022.
Hesmondhalgh said he thinks attacks on publishers’ editorial archives are already occurring and are either going unnoticed or undisclosed.
“Being able to change the truth can be much more valuable than being able to steal some money,” he said.
It would not take many such hacks to have an effect, he added: “If you say ‘people tried to hack our HR system, and they’ve got away with people’s bank details’, that’s bad.
“But if you’re a news provider and you say ‘people tried to hack our editorial system’ – you’re no longer trusted.”
Kroll’s Glass echoed that sentiment, saying that misinformation at a media organisation after a compromise “can have far-reaching consequences, eroding trust in the media and disrupting the flow of accurate information, which is crucial for an informed society”.
Other cybersecurity experts disagreed this was a significant likelihood, however, with one who asked to remain anonymous suggesting such hacks would be a lot of effort for an unclear payoff.
What’s the economic logic of extorting cash-strapped news organisations?
There are financial motives too: Glass said that “for financially motivated attackers, disrupting a news network, especially if the attack impacts broadcast or publishing operations, creates significant pressure for the victims to pay the ransom and generates visibility for the attacker group, a secondary but essential benefit for criminals.
“However, several other attractive factors make media organisations a valuable target. Journalists are valuable intelligence sources. Uncovering a journalist’s sources would be advantageous in various whistleblowing cases, M&A activity and overall influence operations.”
Even leaving aside the more unique qualities of the media, publishers can make for a lucrative target. Matt Dowson, a cybersecurity commercial lead at cloud computing business Iomart, said: “It’s worth just taking a step back and looking at how valuable a dataset could be in a media organisation.
“That could be anything from internal employees – so all of the data that supports their HR system, [for example] names, addresses, telephone numbers, passport details, work permits.
“That’s all valuable on the dark web. If you take a slice of that, it can be resold.”
The news industry’s extensive digital supply chains offer would-be attackers multiple routes in, and the fact many media organisations are financially lean may have made it more likely, not less, to be attacked.
Lineup’s Hesmondhalgh said high-value industries like banking and insurance “have invested heavily for many, many years in security, for very obvious reasons.
“The consequences for them of failing in their security – not just in terms of embarrassment to the business, disruption to the business, but also regulatory fines, sanctions, et cetera – are huge. So they have invested continuously for a long time and probably driven forward the IT industry in that sense.
“The media industry has not really seen itself as being under that kind of threat for a long time. And it’s fairly recent, it’s the last two years, that they’re waking up to that and taking it seriously.”
He suggested that successive rounds of cuts at publishers have likely left IT departments understaffed, because for news outlets “it’s not their core function. When it’s come around to cost savings or efficiency savings, it’s one of those things that’s tended to get hit.
“And therefore I think we are starting from a position of a bit of weakness.”
The 2023 Sophos report into the state of ransomware found that the media, leisure and entertainment sector “had the highest percentage of attacks where the root cause was an exploited vulnerability”, at 55%.
In many of those cases, Hesmondhalgh said, even though fixes were available, IT departments will have been too understaffed to either know the vulnerabilities existed or to apply the necessary patches.
But a 2022 report from cybersecurity firm Bluevoyant suggested it’s not just publishers leaving themselves vulnerable, but providers in their supply chain too.
Across 485 media (including non-news) suppliers the firm assessed, 143 had one or more unpatched vulnerability, which it said was “almost double compared to the multi-industry average observed by Bluevoyant across one million-plus companies”.
Half the vulnerabilities were at CMS vendors, and 60% of them remained unpatched six weeks after a patch was issued.
What can news publishers do to protect themselves from cyberattacks?
Press Gazette asked the experts what news publishers should do to minimise their risk, keeping in mind that major spending would be difficult for many.
Sentinel One's Wright said: “Stick to the basics to start. View all inbound emails with links as suspect. Be very cautious about sharing personal information [i.e. on social media], as that is used to social engineer access through the answering of security questions.”
All software should be kept up to date, he said, and all accounts should use multi-factor authentication and pass phrases or complex passwords. Those credentials should never be re-used in more than one place.
“Even though budgets are always a consideration, imagine what it would cost to recover from an attack as opposed to preventing one in the first place,” he added.
“Organisations never seem to find the time and money to do it right, but when an incident happens, they seem to find enough time and money to do it over. The price for the latter is usually ten to 20 times the former.”
Rapid7's Beek agreed that getting a handle on “the security basics” was the best thing publishers could do.
“Media organisations tend to rely upon multiple digital distribution mediums, such as social media accounts, branded websites, and apps – and this allows for multiple targets,” he said.
“Each of these must be secured with measures such as multi-factor authentication that is enforced across the entire organisation, particularly for VPNs [virtual private networks] and virtual desktop infrastructure.”
Both Iomart’s Dowson and Lineup's Hesmondhalgh recommended 24/7 monitoring of both publisher networks and their endpoints (physical devices on a system), but emphasised that third-party services are available to do the job.
Hesmondhalgh added that “training and education are absolutely essential”, noting that everyone in his company, including him, is routinely targeted with an in-house spear phish – a phishing attack tailored to an individual – to test them.
He also recommended resources on the government’s National Cyber Security Centre website, which include printable posters for display around the workplace and an “Exercise in a Box” feature that allows companies to wargame a range of cyberattack scenarios.
Has your news organisation been the victim of a cyberattack? You can let Press Gazette know in confidence by emailing email@example.com.
Email firstname.lastname@example.org to point out mistakes, provide story tips or send in a letter for publication on our "Letters Page" blog