Fallout from Guardian cyber attack to last at least a month

Staffers at the UK’s Guardian newspaper have been informed that their offices will remain shut for at least a month, following the 20 December 2022 suspected ransomware attack on the media organisation’s systems.

According to an internal notice seen by media sector publication Press Gazette, Guardian Media Group (GMG) chief executive Anna Bateson said at the beginning of the week that journalists and other staff would have to continue to work from home.

She said that a fortnight after the incident, a number of key systems still remain offline and are unavailable, and that this was a result of the steps the organisation took to secure itself.

“To reduce strain on our networks and help the enterprise tech, ESD and other involved teams focus on the most essential fixes, everyone must work from home until at least Monday 23 January in the UK, US and Australia, unless you are specifically asked to work from our offices,” said Bateson.

Other reporting described a “total nightmare”, with problems supposedly affecting print production, financial systems including payroll and expenses, and even the on-site canteen at GMG’s London office.

The incident is understood to have begun on the evening of Tuesday 20 December and. according to the Guardian, which broke the news of the incident itself the following day, affected unspecified parts of its infrastructure, although its online publishing systems were not affected, meaning the newspaper was able to continue to publish stories online.

Two weeks on, confirmed details on the incident remain sparse and GMG has not made any further statements as to the precise nature of the incident, although its online subscriber help centre appears to have acknowledged that it was indeed a ransomware attack.

Although it cannot be stated for certain that the attack on GMG was a targeted incident, what can be said with relative confidence is that media outlets are increasingly targeted by threat actors as such incidents can prove highly disruptive and are likely to resonate with a far wider audience.

It can also be fairly said that reporting on major international incidents such as Russia’s war on Ukraine may leave a title exposed to malicious actions by Russia-backed or aligned groups. Additionally, any publisher of titles that skew to the different ends of the political spectrum – in GMG’s case, its titles lean to the liberal centre and left wings – may also find themselves the targets of politically motivated hacktivism.

Dan Vasile, vice-president of strategic development at BlueVoyant, and a former cyber security operator in the media sector, conducted research into the security challenges that the media industry faces in 2022.

“The media industry is often targeted because of the influence it holds. Media companies get high-volume traffic and are trusted by their audience,” Vasile told Computer Weekly in emailed comments.

“This puts a target squarely on the backs of news organisations. The domino effect is in full force: Thomson Reuters, The New York Post, Fast Company, and now The Guardian, among countless previously reported breaches.

“Generally speaking, large media organisations have structured cyber security programs in place, but as companies’ digital estates become well defended, malicious actors turn their attention to the supply chain, opening up a whole new attack surface,” he said.

The BlueVoyant research – which was published in August 2022 – said there were material security failings across the media sector’s supplier ecosystem, compounding the issue.

The incident at GMG also demonstrates a firmly established trend of executing large-scale cyber attacks around major holiday periods – the 2021 attack on Kaseya that unfolded over the US 4 July holiday being an excellent example – with IT and security teams stretched thinly due to holiday cover, the chances of a successful attack can slightly increase.