GUEST ESSAY: NewsCorp hack shows cyber espionage, squelching of press freedom on the rise

By Toby Lewis

As the dust settles following the recently disclosed hack of NewsCorp, important lessons are emerging for the cybersecurity and journalism communities.

Related: How China challenged Google in Operation Aurora

The Chinese government is well known for its censorship– and frequent harassment and intimidation of foreign journalists. These are the foremost reasons China is ranked fourth worst globally regarding press freedoms.

China has enclosed its national internet servers within what is colloquially called ‘the Great Firewall.’ This firewall even goes as far as to block the latest versions of the encryption service TLS (v1.3) because it puts mechanisms in place to prevent third parties from decrypting traffic.

Internationally, there is no doubt that this predominantly serves to facilitate the detection and blocking of topics sensitive to the Chinese Communist Party, such as the events of June 4, 1989, in Tiananmen Square. The recent Western reporting on the Uyghur internment camps in Xinjiang triggered further sensitivity around how the international community views the Chinese Communist Party’s domestic policies.

In a recent statement, the Foreign Correspondents Club of China (FCCC) commented, “Covering China is increasingly becoming an exercise in remote reporting, as China cuts off new visas and expels journalists.” Only 4 percent of respondents to an FCC poll said their organization received a new J-1 visa in 2021, and 46 percent said their bureaus were understaffed because of a lack of visas.

Even those physically in China increasingly face obstruction as they investigate their stories. This ‘remote journalism’ largely relies on access to in-country sources, typically Chinese nationals willing to share their day-to-day experiences with foreign reporters.


If the Chinese government cannot prevent a story from being published outside of the country, it can act against sources. Identifying sources has become a tool in countering the anti-China narrative in the foreign press, and it acts as a powerful disincentive to anyone inside China who might consider speaking to a foreign journalist.

Like many organizations and industries, NewsCorp migrated its digital estate to make greater use of the cloud, including leveraging SaaS providers like Google Workspaces to host email infrastructure.

Migrating from on-premises infrastructure to the cloud has substantial benefits, including increased efficiency, capabilities, and cost-savings. But it also has a considerable downside. If your staff can log on to the internet to access their emails, so can an attacker. These bad actors are no longer constrained by the need to access a physical device in an office location.

For organizations that have made that jump, sticking with a simple username and password to protect a globally accessible email server is far from good enough. Password leaks are commonplace. Employees often reuse passwords between other services and accounts. Credential harvesting attacks via phishing emails are now a daily occurrence. With these factors compounded, it’s only a matter of time before an attacker acquires an email address and password and can simply log in—no need to hack; no need to exploit a zero-day vulnerability.

Multi-factor authentication (MFA) is a powerful defense from these sorts of attacks, limiting the use of a username and password to the individual who possesses the physical key. MFA is a must for organizations using SaaS for email.

MFA can be challenging to implement for some organizations from a technology or cost perspective or due to user pushback. In some cases, there have been attacks against MFA systems targeting the companies that make them or exploiting the underlying technology. MFA, however useful, is no silver bullet.

From a detecting and monitoring perspective, determining what is and is not a legitimate user log-on event can be difficult, often reliant on attackers mounting their heists from known bad infrastructure on the internet, infrastructure known because systems caught attackers using it before. But this leaves security teams powerless to stop novel threats and zero-days.

Some mitigation techniques rely on simply blocking vast swathes of the internet, based on the country from which the IP address allegedly exists – but even geolocation of an IP address is more art than science, and this heavy-handed security can disadvantage an international business. In the case of NewsCorp, blocking access to any IP address believed to be in China would make reporting remotely even more challenging.

We have entered a new era of cyber threats. If measured as a country, cybercrime would possess the third-largest economy in the world, behind the U.S. and China. Cyber tools now undoubtedly play a role in international espionage, and last month, NewsCorp bore the brunt of cyber-attackers using the most sophisticated tools in their arsenal to breach its digital estate. 

About the essayist: Toby Lewis is Global Head of Threat Analysis at Darktrace, which supplies technology that applies Self-Learning AI to enable machines to understand the business in order to autonomously defend it.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone