The miscreants who infiltrated News Corporation’s corporate IT network spent two years in the media monolith’s system before being detected early last year.
The super-corp, which owns The Wall Street Journal, New York Post, UK publications including The Sunday Times, and a broad array of other entities around the world, first reported the intrusion in February 2022, saying the snoops got into email accounts and gained access to employees’ data and business documents.
A year later, according to a four-page letter sent to employees, News Corp executives said the unidentified cybercriminals likely first gained access to a company system as early as February 2020, and then got into “certain business documents and emails from a limited number of its personnel’s accounts in the affected system.”
Both News Corp and Mandiant – the now-Google-owned cybersecurity house brought in to investigate the intrusion – said the attackers likely were nation-state players linked to China with the aim of gathering intelligence.
In the letter, which was first published by Bleeping Computer, News Corp execs told staff the attack “does not appear to be focused on exploiting personal information.” Executives added that they hadn’t been alerted to any incidents of identity theft nor fraud connected to the security breach.
While the attack may not have targeted personal data, its perpetrators could see plenty of it. The letter states some employees’ names and dates of birth were accessed, plus details of financial services accounts, some health insurance data, medical information, Social Security numbers, driver license info, and passport numbers.
News Corp is giving affected workers free identity protection and credit monitoring for two years through Experian’s IdentityWorks program, which also includes identity restoration in case of fraud and $1 million in identity theft insurance.
Dwell time is a cybersecurity concern
The attack highlights the issue of “dwell time” – the amount of time miscreants spend within a company’s IT environment before they’re uncovered.
Dwell time is a crucial metric for organizations and cybercriminals. The latter make substantial efforts to evade detection and secure longer dwell times. Organizations prefer shorter dwell times as it means fiends have less opportunity to go about their unpleasant business.
Security firms have various estimates of dwell time. Mandiant last year said the median dwell time dropped from 24 days in 2020 to 21 in 2021. However, Sophos found the median dwell time jumped from 11 days in 2020 to 15 days the following year.
IBM Security said in 2022 that the average time for identifying and containing a breach was 287 days and that the longer the dwell time, the more damage done. Breaches that took more than 200 days to identify and contain cost an average of $4.87 million, compared with $3.61 million for those of fewer than 200 days.
Companies should not assume they’re too insignificant to be targeted by bad actors
Subtlety is dangerous
The nature of the attack can determine dwell time, according to experts. Ransomware and distributed denial-of-service (DDoS) attacks are noisy and quickly attract attention. Advanced persistent threat (APT) and cyber-espionage groups need longer time in the corporate network and try to run under the radar.
“Dwell time is one of the biggest indicators of the severity of the breach,” Jon Bambenek, principal threat hunter at security-centric analytics firm Netenrich, told The Register, adding that defensive technologies generally do well against “smash-and-grab attacks.”
“It’s the subtle ones that are harder,” he added.
To combat such attacks designed to evade detection, organizations need to keep security telemetry long enough to enable behavioral analytics tools to work well and detect the nuanced deviations from normal behavior, Bambenek said.
Stealth and dwell time are prized by the actors behind advanced persistent threats (APTs), according to Patrick Tiquet, vice president of security and architecture at Keeper Security.
“Unlike a DDoS, SQL injection, or other attacks that tend to be either obvious or more easily detected, an APT could go on for months or years without being noticed,” Tiquet told The Register. “Companies should not assume they’re immune to data breaches or too insignificant to be targeted by bad actors.”
Protection against attacks that are aimed at staying under the radar and evading detection is the same for any kind of attack, said Timothy Morris, chief security adviser at Tanium.
“The best preventative measures against all types of attacks is to patch, patch, patch,” Morris told The Register. “Have a sound vulnerability management program, use robust multi-factor authentication, and implement least privilege access.”
Javvad Malik, lead awareness advocate at KnowBe4, championed a “layered approach” to detection – including locking down workstations, limiting network traffic to sensitive areas, and using honeypots or honey tokens, which will generate fewer, but more valuable, alerts to help identify an attacker.
“Detecting an intruder once they are inside an organization can be very difficult, especially if they have a long game in mind and move slowly,” Malik told The Register. “Most organizations are usually overwhelmed with alerts on a daily basis, and even with a large number of tools, it can be difficult to isolate actual intrusions.” ®