On February 4, 2022, News Corp disclosed that it had been the target of a cyberattack attributed to a China-linked threat actor. The breach had compromised email accounts and documents belonging to journalists and other employees at several News Corp properties, including The Wall Street Journal, the New York Post, and News Corp's headquarters operations.
The investigation, conducted by Mandiant, revealed that the attackers had maintained access to News Corp's systems since at least February 2020 — meaning the intrusion lasted approximately two years before detection.
The Scope
The attackers accessed emails and documents from journalists, editors, and other employees. The compromised News Corp entities included:
- The Wall Street Journal — one of the most influential business publications in the world
- New York Post
- News Corp headquarters staff
- Dow Jones (publisher of the WSJ)
- News UK operations
According to reporting, the attackers specifically targeted journalists covering topics of interest to the Chinese government, including China's technology sector, trade relations, military activities, and political leadership. This targeting pattern strongly suggested an intelligence-gathering motivation rather than financial gain.
Attribution
Mandiant attributed the attack to a threat actor linked to the Chinese government. While the specific group designation was not publicly identified at the time of disclosure, the techniques, targeting, and operational patterns were consistent with known Chinese APT groups.
The attribution was based on:
- Targeting patterns consistent with Chinese intelligence priorities
- Tooling and infrastructure associated with known Chinese threat actors
- Operational hours aligning with Chinese business hours
- Techniques, tactics, and procedures (TTPs) matching documented Chinese APT behavior
China denied involvement, as is standard practice for state-sponsored cyber operations regardless of the attributing country.
Why Target Journalists?
Espionage targeting journalists serves several intelligence objectives:
Source identification. Journalists covering sensitive topics communicate with sources who have inside knowledge of government policies, military operations, corporate strategies, and political dynamics. Accessing a journalist's email reveals not just what they know, but who is telling them — which is often the more valuable intelligence.
Advance warning of unfavorable coverage. Knowing what stories are being developed allows a government to prepare responses, preempt narratives, or attempt to influence coverage before publication.
Understanding media narratives. Intelligence agencies want to understand how their actions are being perceived and reported internationally. Access to newsroom communications provides this insight.
Identifying dissidents and critics. People who speak to journalists about sensitive topics are, by definition, willing to share information that a government may want to suppress. Identifying these individuals allows for surveillance, pressure, or retaliation.
Mapping relationships. Journalist communications reveal networks of contacts across government, business, and civil society. These relationship maps have broad intelligence value.
The Two-Year Dwell Time
The fact that Chinese operatives maintained access for approximately two years is remarkable but not unprecedented for state-sponsored espionage. Unlike financially motivated attackers who typically act quickly (deploy ransomware, steal and sell data), espionage actors prefer long-term, persistent access.
During those two years, the attackers could have:
- Read every email sent and received by compromised accounts
- Tracked story development and editorial decision-making in real time
- Identified confidential sources and whistleblowers
- Monitored internal communications about coverage strategy
- Accessed draft articles before publication
- Collected personal information about journalists for potential targeting
The two-year dwell time also means the attackers survived multiple rounds of routine security updates, password changes, and IT operations without being detected. This requires either significant operational discipline or insufficient monitoring — likely both.
Media Organizations as Targets
News Corp is far from the only media organization targeted by state-sponsored hackers:
- The New York Times disclosed in 2013 that Chinese hackers had infiltrated its systems for four months, targeting reporters covering the wealth of China's political leaders.
- The Washington Post was breached by Chinese hackers in 2011.
- Reuters was targeted by the Iranian-linked group Charming Kitten, which attempted to compromise journalists' email accounts.
- Al Jazeera journalists were targeted with NSO Group's Pegasus spyware in 2020.
- Numerous independent journalists in countries with authoritarian governments face ongoing digital surveillance.
The pattern is global and persistent. Journalism is an intelligence target because journalists are, by nature, information aggregators with access to sources across society.
Security Challenges for Media Organizations
Media companies face distinct security challenges:
Open communication culture. Journalism requires communicating with diverse sources, including strangers, anonymous tipsters, and people in hostile environments. Security policies that restrict external communication conflict with the journalistic mission.
Source protection is paramount. A security breach at a media organization does not just expose corporate data — it potentially exposes sources whose safety depends on anonymity. The stakes are literally life and death in some cases.
Resource limitations. Most media organizations operate on tight budgets. Investing in enterprise-grade security competes with editorial resources.
Global operations. Major media organizations have staff in countries with sophisticated surveillance capabilities. Protecting communications across jurisdictions with varying legal protections is extraordinarily complex.
How Safeguard.sh Helps
Safeguard.sh provides the continuous security monitoring and vulnerability tracking that helps organizations detect and respond to sophisticated intrusions before they persist for years. Our platform monitors for indicators of compromise, tracks the security posture of your email and communication infrastructure, and enforces access policies that limit the blast radius of a compromised account. For organizations handling sensitive communications — whether media, legal, or advocacy — Safeguard.sh provides the visibility to detect state-sponsored intrusions and the governance framework to protect the people who depend on your security.