Targeting the news: Ransomware attack on The Guardian
Reading a newspaper. Image by Tim Sandle
In ‘news about news’, The Guardian has reported an IT incident and this is being declared a ransomware attack. The bastion of liberal new media was struck by unknown actors during December 2022, although the full details of the incident were not reported until the second week of January 2023.
The London-based news company says that personal data of U.K. staff members has been accessed in the incident. The Guardian is the ninth most-read news site in the world, with almost 390 million visits per month.
Looking into the woes of the newspaper group for Digital Journal is Joe Gallop, Intelligence Analysis Manager at Cofense.
Gallop begins by considering how and why the media is a cybersecurity target, stating: “Journalists and news organizations became increasingly popular targets for cybercriminals in 2022. While details are still emerging about the ostensible ransomware attack on The Guardian, there has been an ongoing effort from state-sponsored threat actors from North Korea, China, and Iran to gain access to journalists’ sensitive information and curtail free speech.”
It is possible that the origin of the attack came from one of these rogue states. Gallop continues: “The attack on The Guardian, unfortunately, follows a familiar trend – threat actors most often use phishing as a preliminary step in multi-step ransomware operations, rather than a direct delivery mechanism for ransomware itself.”
In terms of how such attacks can happen, Gallop offers: “Tools used to establish a pervasive presence and deploy ransomware in the targeted organization’s network may be loaded via the phishing campaign’s malware payload, but only at the command of a human attacker after the automated phishing chain is complete.”
Expanding on the risk, Gallop adds: “Once inside, a threat actor can use any of a large variety of custom and commodity tools to move laterally, escalate privileges, establish persistence and deliver the final ransomware payload. By the time an actual ransomware binary is detectable within a targeted organization’s network, it may be too late to mitigate the impact.”
This finding connects with the measures that need to be taken, as Gallop observes: “Thus, it is more important than ever to catch a ransomware operation at the phishing stage, before it is even identifiable as a ransomware attack.”
Gallop’s recommendation for similar businesses is: “To do this, organizations must take the necessary steps to protect inboxes and detect threats. Adopting actionable intelligence that gives visibility into the risk factors in your network and responds to phishing threats immediately and decisively will help keep malicious actors at bay and ensure the protection of sensitive data.”