One of Britain’s most popular newspapers, The Guardian, is reporting that a suspected ransomware attack is causing some internal network trouble. The online publishing component does not appear to be impacted, but a recent article indicates that some of its infrastructure has been disrupted.
The article did not provide full details, but implied that print production may have been affected in some way. However, it also offered the assurance that print runs would likely make it to market as scheduled. Staff were instructed to work from home for the week as the incident was remediated by the in-house IT team.
Unclear if ransomware attack on The Guardian was targeted
The paper’s report on the ransomware attack characterized it as “serious” despite it seemingly not stopping online or offline production of the paper, and only alluded to parts of the internal IT infrastructure being impacted. The report also said that a ransomware attack was the most likely explanation, but that the incident was still being investigated. The paper’s staff has been instructed to work from home at least through the end of the week leading into the Christmas weekend, aside from “a few key exceptions.”
It is still unclear who is behind the ransomware attack. No criminal group has stepped forward to take credit, and there has been no word of it yet on the dark web. Ransomware attackers generally do not waste much time in making the attacks known unless they are privately negotiating with the victim, with the trend these days being to “double extort” and threaten to leak stolen sensitive information onto the web. It could be that the attack was aborted somehow before it was able to steal salable information or do any kind of crippling damage to the paper, so the attackers simply cut their losses and moved on.
An employee of The Guardian told The Telegraph that the ransomware attack took out the paper’s internal office WiFi network, and that staff on site had to move to working on laptops and mobile phones for a time. An email to staff also indicated that the impact was centered on the Kings Place offices and had impacted the VPN system. Senior editors at the paper reportedly do not know anything more than anyone else about the incident at this time, and it is not clear if it has been reported to the National Cyber Security Centre yet.
News organizations increasingly targeted for ransomware attacks, vandalism
Newspapers are increasingly under attack by cyber criminals, but ransomware attacks are not always the motive. The year has seen a number of attacks on major papers that seemed to be inspired either by intelligence gathering or by plain vandalism.
In January, News Corp was attacked by hackers believed to be affiliated with Chinese state-backed advanced persistent threat groups. Reporters for the Wall Street Journal, the Times and the Sun had their email addresses compromised, and the attackers rifled through these accounts and internal newspaper networks for documents of interest to the Chinese government.
In September, Fast Company suffered a less damaging (but still concerning) hack in which someone calling themselves “Vinny Troia” spammed vulgar and offensive push notifications to subscribers using Apple News. The site was taken offline for an evening as the incident was dealt with. The actual Vinny Troia, a well-known cybersecurity researcher, later identified a hacker that goes by the handle “Pompompurin” as the culprit.
Another hack related to News Corp came in October when the New York Post suddenly displayed a number of offensive articles. This was eventually blamed on a rogue employee, though questions remain about the incident as the Post never made evidence of this claim public.
It has typically been rare for newspapers to be targeted specifically for ransomware attacks, as their fortunes have been very publically in decline for some time. Even the biggest names often struggle to make average profits, and smaller papers are often barely afloat; they are not the sorts of businesses to have ample cash on hand to pay off ransomware gangs, and more lucrative targets are available in numerous other industries. Ransomware attacks on newspapers are sometimes accidental, as may have been the case with the October attack on small German paper Heilbronn Stimme; apparently a “well known” ransomware gang encrypted company servers, but did not appear to ever get around to actually making a ransom demand.
Nevertheless, Sammy Migues (Principal Scientist at Synopsys Software Integrity Group) notes that this incident demonstrates that all types of organizations should be prepared for ransomware attacks: “Almost all organizations do host, network, and cloud configuration and security testing. They do some application security testing. They have internal awareness training and anti-phishing training. They have advanced SaaS firewalls and third-party log analysts as partners. Yet, we still hear about ransomware events almost daily. That means it can happen to anyone but everyone can be better prepared.”
The Guardian has not yet ruled out the possibility that this was some sort of similar vandalism attempt, based on either politics or some sort of personal sour grapes. The Guardian has a reputation as a center-left oriented publication in the UK, with “Guardian reader” sometimes used as a pejorative by more right-wing commentators to describe a liberal or someone who supports “politically correct” perspectives. The paper also has a long history of upsetting powerful political forces, dating back to its reporting on the Snowden leaks of 2013 and being the lead investigating body in the Panama Papers reporting. The Guardian has a digital-only US branch, but is thought to have a circulation of only about 220,000 subscribers throughout North America.
Oz Alashe, CEO of CybSafe, theorizes that the attack may have been a “wiper” incident rather than a standard ransomware attack: “Ransomware attacks have dominated the headlines in 2022, and The Guardian seems to be the latest victim of the increasingly popular form of attack. In the last few months alone, criminals realised they don’t need to steal or sell data. That takes too much time and effort. Instead, simply threatening to delete the data can produce the same result. Ransomware, wiperware, and any other type of malware are preventable. It starts with basic cyber hygiene: network segmentation, backups, regular patching, and vulnerability assessments. However, organisations also need to embrace a working culture that promotes positive security behaviours, treating it as a core value or an active process, not just a yearly compliance exercise. People want to be part of the solution. They are the crucial first and last line of defence. Organisations must give them the tools and training to allow them to be effective.”