Guardian attacked by ransomware – definitely

Schrödinger's ransomware declared to be very much alive at The Guardian.
13 January 2023

To ransom or not to ransom – The Guardian reveals the extent of its data breach.

Getting your Trinity Audio player ready...

On December 20th, 2022, the UK’s Guardian newspaper reported that it had been hit by a ransomware attack – probably. Despite announcing that much, the newspaper group then went quiet on whether the incident – which hit a behind the scenes system, and at the time was regarded as affecting neither the newspaper’s production nor the integrity of the Guardian website – was a ransomware attack or not.

Ransomware confirmed.

Now, some three weeks later, The Guardian has confirmed both that the incident was a ransomware attack, and that the personal data of UK staffmembers were compromised.

Three weeks after the initial attack in which their data was harvested, Guardian staff were told of the details by an email from Guardian Media Group chief executive Anna Bateson, and the newspaper’s editor-in-chief, Katharine Viner.

It’s understood that neither the personal data of Guardian staff in other countries like the US and Australia, nor the data of readers or subscribers were compromised in the attack. That is at least something the Guardian Media Group will be thankful for, as The Guardian is the eighth most read newspaper in the UK (as of 2021), and the ninth most read news website in the world, so the potential for a reader-based data breach could well have been catastrophic for its fortunes.

As no evidence has yet emerged of The Guardian’s UK staff data being exposed online in hacker forums, the email they received said the risk of fraud was considered to be low – rather than, for instance, “delayed.”

Nevertheless, most UK Guardian staff have been working from home since the attack on December 20th, to avoid the potential worsening of the situation by allowing further unauthorized access to the paper’s systems.

The nature of the attack has been revealed as “a highly sophisticated cyberattack involving unauthorized third-party access to parts of our network,” which is thought most likely to have occurred as a result of phishing – the practice of getting someone to click on a link in an email, which usually triggers the download of a piece of malware into the system.

“We believe this was a criminal ransomware attack, and not the specific targeting of The Guardian as a media organization,” Bateson and Viner added in their email. “These attacks have become more frequent and sophisticated in the past three years, against organizations of all sizes and kinds, in all countries.”

They’re right as far as they go – ransomware for profit was always the more likely explanation for the attack, compared to, for instance, politically-motivated sabotage of what is seen as a largely liberal mouthpiece. A government report in 2022 revealed that two in five UK businesses had reported cybersecurity breaches or attacks in the previous 12 months – so arguably, the attack on The Guardian was nothing special.

The increasing reality.

Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, explained:

“Any organization can be targeted for cyberattacks like this. The Guardian and other companies need to realize the importance of educating employees – and executives – about the dangers of these attacks, as well as how to recognize, avoid, and report such phishing schemes. In addition, organizations need to make sure they have recent offline backups, allowing them to quickly restore their systems in case of attacks. They also need to ensure that their systems are updated to plug security holes that allow bad actors to perform these attacks successfully.”

Another Consumer Privacy Advocate, Paul Bischoff from Comparitech, highlighted the potentially too blasé approach of The Guardian’s editors in regarding the risk to their employees to be “low” based on the fact that the data hasn’t been exposed online after three weeks.

The opportunity for exploitation.

“The theft of Guardian UK employees’ names, address, SIN numbers, government identity documents, and salary details puts those employees at risk of further attacks in the future. That information could be used for identity theft, tax fraud, and other scams. It could also allow bad actors to target and retaliate against Guardian staff who publish something they don’t agree with. Thus far, the stolen data has not surfaced publicly, and hopefully it never does.”

But with each large-scale attack that makes headlines, the cybercriminal community gains boldness and information on how to attack major organizations and systems.

The first major attack of 2023 has been revealed to be the Royal Mail “cyberincident,” which is now being widely described as a cyberattack, using Lockbit 3.0 ransomware – an increasingly popular choice of ransomware among Russian cybercriminal gangs.

Deryck Mitchelson, Field CISO at Check Point Software, who predicted an attack against some element of UK critical national infrastructure when talking to Tech HQ just weeks ago, explained that the country will undoubtedly see further major ransomware attacks throughout the course of 2023. “The thing about ransomware attacks is that they do reconnaissance work before they deploy their encryption packet, he said. “The next big ransomware attack is probably already taking place as we speak – it just hasn’t been activated yet.”