The state-sponsored attackers behind a breach that News Corp disclosed last year had actually been on its network for nearly two years already by that time, the publishing giant has disclosed.
In a letter to employees last week, News Corp said an investigation of the incident showed the intruder first broke into its network in February 2020, and remained on it until discovered on Jan. 20, 2022. Over that period, the adversary had access to what News Corp described as business documents and emails pertaining to a “limited number of employees.” Data that the attacker had access to at the time included names, dates of birth, Social Security numbers, driver’s license numbers, and health insurance numbers, News Corp said.
An Intelligence-Gathering Mission
“Our investigation indicates that this activity does not appear to be focused on exploiting personal information,” the letter noted, according to reports. “We are not aware of reports of identity theft or fraud in connection with this issue.”
When News Corp — the publisher of the Wall Street Journal, New York Post, and several other publications — first disclosed the breach last January, the company described it as an intelligence-gathering effort involving a state-sponsored advanced persistent threat (APT). In a Feb. 4, 2022 report the Wall Street Journal identified the actor as likely working on behalf of the Chinese government and focused on gathering the emails of targeted journalists and others.
It’s unclear why it took News Corp more than a year after initial breach discovery to disclose the scope of the intrusion and the fact that the attackers had been on its network for nearly 24 months. A spokesperson for News Corp did not directly address that point in response to a Dark Reading request for comment. However, he reiterated the company’s previous disclosure about the attack being part of an intelligence-collection effort: “Also as was said then, and was reported on, the activity was contained, and targeted a limited number of employees.”
An Unusually Long Dwell Time
The length of time the breach at News Corp remained undetected is high even by current standards. The 2022 edition of IBM and the Ponemon Institute’s annual cost of a data breach report showed that organizations on average took 207 days to detect a breach, and another 70 days to contain it. That was slightly lower than the average 212 days it took in 2021 for an organization to detect a breach and the 75 days it took for them to address it.
“Two years to detect a breach is way above average,” says Julia O’Toole, CEO of MyCena Security Solutions. Given that attackers had access to the network for such a long time, they most likely got away with a lot more information than was first perceived, O’Toole says.
While that’s bad enough, what’s worse is that less than a third of breaches that happen are actually detected at all. “That means many more companies could be in the same situation and just don’t know it,” O’Toole notes.
One issue is that threat detection tools, and security analysts monitoring those tools, cannot detect threat actors on the network if the adversaries are using compromised login credentials, O’Toole explains: “Despite all the investment in [threat detection] tools, over 82% of breaches still involve compromised employee access credentials.”
A Lack of Visibility
Erfan Shadabi, cybersecurity expert at Comforte AG, says organizations often miss cyber intrusions because of a lack of visibility over their assets and poor security hygiene. The increasingly advanced tactics that sophisticated threat actors use to evade detection — like hiding their activity in legitimate traffic — can make detection a huge challenge as well, he says.
One measure that organizations can take to bolster their detection and response capabilities is to implement a zero-trust security model. “It requires continuous verification of user identity and authorization, as well as ongoing monitoring of user activity to ensure security,” Shadabi tells Dark Reading.
Organizations should also be using tools such as intrusion detection systems (IDS) and security information and event management (SIEM) systems to monitor their networks and systems for unusual activity. Strong access control measures including multifactor authentication (MFA), vulnerability management and auditing, incident response planning, third-party risk management, and security awareness training are all other crucial steps that organizations can take to reduce attacker dwell times, he says.
“Generally speaking, organizations, particularly large ones, have a difficult time detecting attacks because of their vast technology estates,” says Javvad Malik, lead awareness advocate at KnowBe4. “Many organizations don’t even have an up-to-date asset inventory of hardware and software, so monitoring all of them for breaches and attacks is extremely difficult,” he says. “In many cases, it boils down to complexity of environments.”