China Suspect in News Corp Cyber-Espionage Attack!

China Suspect in News Corp Cyber-Espionage Attack!

Attackers infiltrated News Corp network using BEC, while Microsoft moved to stop such attacks by blocking VBA macros in 5 Windows apps. Included: more ways to help stop BEC.

The Chinese hackers responsible for an attack on News Corp last month likely were seeking intelligence to serve China’s interests in a cyber-espionage incident that shows the persistent vulnerability of corporate networks to email-based attacks, security professionals commented.

E-Mail Accounts

Reports on Mon. revealed that a Jan. 20 incident at Rupert Murdoch’s company involved an attack on journalists’ email accounts that gave the intruders access to sensitive data. The breach – just limited to several individuals working for outlets including News UK, the Wall Street Journal & the New York Post – has raised concerns over the safety of confidential sources collaborating with journalists affected by the incident.

In an e-mail to staff, News Corp cited a “foreign govt.” as responsible for the “persistent nation-state attack” & confirmed that “some data” was stolen, according to published reports.


The media company enlisted the assistance of cyber-security firm Mandiant to investigate the incident, which the firm suggested is likely the work of a China-sponsored player.

“Mandiant assesses that those behind this activity have a China nexus, & we believe they are likely involved in espionage activities to collect intelligence to benefit China’s interests,” commented David Wong, VP of consulting at Mandiant, in a statement.

Targeting Journalists

Whilst China usually targets “military & intellectual property” in its state-sponsored attacks, journalists also are “fairly high on their radar for espionage” due to their work with sources – confidential & otherwise, as noted by 1 cyber-security professional.

“Journalists can have access to sources & intelligence about adversaries & other opponents of the Chinese regime, both foreign & domestic, or can be researching stories that could generate negative publicity for the Chinese Govt.,” Mike McLellan, Director of Intelligence for cyber threat intelligence firm Secureworks Counter Threat Unit, on Mon.

Politically Motivated

Paul Farrington, Chief Product Officer for security firm Glasswall, agreed that it’s “common for politically motivated cyber-criminals to mine reporters’ materials for intelligence,” given their frequent conversations with confidential sources that have access to information about current & future geopolitical events.

Moreover, China has previously shown an interest in attacking journalists, making this latest attack “entirely consistent with past Chinese state-sponsored behaviour,” concurred Dave Merkel, CEO of cyber-security firm Expel.

New York Times

He cited a previous attack on the New York Times by China in 2013 as a precedent for the nation’s targeting of journalists. Moreover, the threat players’ use of business email compromise (BEC) to conduct the attack “makes sense” & also is consistent with nation-state actors, Merkel observed.

“When it comes to cyber-attacks, nation state actors will only be as advanced as they have to – why burn expensive zero days if you don’t need to?” he stated.


In fact, Merkel said the No. 1 source of attacks against Expel customers is BEC. “There’s no reason to think Chinese state-sponsored groups wouldn’t use the same tactics against their targets if those tactics work – & news organisations are definitely targets,” he explained.

BEC is a major threat that typically involves human error. The way it works is that an employee at a company receives an email with a malicious link or document & takes an action that can install malware on their computers.

Corporate Network

This can result in consequences from local data theft to giving threat actors access to the corporate network to advanced attack vectors such as ransomware.

Microsoft unveiled a timely yet unrelated step this week that could help mitigate the impact of, or even prevent, future BEC attacks: the company will soon begin blocking, by default, VBA macros obtained from the internet in 5 Office apps, as the company revealed in a blog post Mon.

“For macros in files obtained from the internet, users will no longer be able to enable content with a click of a button,” Microsoft Principal Program Manager Kellie Eickmeyer wrote. “A message bar will appear for users notifying them with a button to learn more.”

Default Setting

This default setting “is more secure & is expected to keep more users safe including home users & information workers in managed organisations,” she added. Sending documents loaded with macros that immediately install malware on people’s computers with 1 click is a popular tactic of email-based attacks.

The new default setting will apply to Microsoft Office on devices running Windows for Access, Excel, PowerPoint, Visio & Word. Microsoft will roll out the change 1st in a preview version of Office 2023, starting with its Current Channel update channel in early April 2022.

Update Channels

This change will soon be available in the other update channels, e.g. Current Channel, Monthly Enterprise Channel, & Semi-Annual Enterprise Channel. Then, Microsoft also will change the Office default setting for VBA macros in Office LTSC, Office 2021, Office 2019, Office 2016 & Office 2013, Eickmeyer added.

This may make it harder to allow malware past corporate employees using BEC tactics. However, as 1 security professional noted, companies still must remain vigilant & take a maximum approach to both threat mitigation & response, given the evolving nature & increased occurrence of cyber-attacks that organisations now face.

Threat Environment

“As the threat environment continues to change, proper & continuous diligence is required to ensure all cyber defensive tools & techniques are employed to protect your most precious data assets,” observed Tom Garrubba, VP at risk-management firm Shared Assessments.

“Continuous intelligence, monitoring, & dialogue with critical partners & suppliers should be ongoing to ensure ‘all is ready’ in the event recovery is needed, & that additional support is available in the event something were to occur.”