Advertisement
UK markets close in 8 hours
  • FTSE 100

    7,955.64
    +23.66 (+0.30%)
     
  • FTSE 250

    19,766.74
    -43.92 (-0.22%)
     
  • AIM

    742.02
    -0.09 (-0.01%)
     
  • GBP/EUR

    1.1682
    +0.0013 (+0.11%)
     
  • GBP/USD

    1.2609
    -0.0029 (-0.23%)
     
  • Bitcoin GBP

    55,959.66
    +552.04 (+1.00%)
     
  • CMC Crypto 200

    885.54
    0.00 (0.00%)
     
  • S&P 500

    5,248.49
    +44.91 (+0.86%)
     
  • DOW

    39,760.08
    +477.75 (+1.22%)
     
  • CRUDE OIL

    81.78
    +0.43 (+0.53%)
     
  • GOLD FUTURES

    2,213.80
    +1.10 (+0.05%)
     
  • NIKKEI 225

    40,168.07
    -594.66 (-1.46%)
     
  • HANG SENG

    16,541.42
    +148.58 (+0.91%)
     
  • DAX

    18,474.39
    -2.70 (-0.01%)
     
  • CAC 40

    8,221.52
    +16.71 (+0.20%)
     

Six weeks after being hacked, why is The Guardian still broken?

The Guardian was victim to a cyber attack
The Guardian was victim to a cyber attack

The bustle and buzz of a newsroom is the pumping heart of any media organisation. It is where curiosity, energy and creativity are blended into a constant flow of investigation, revelation and information for readers.

At the headquarters of the Guardian and Observer newspapers though, the keyboards sit idle and the journalists are absent. The office was shuttered after a cyber attack back in December, when staff were at the Christmas party. As the crisis enters its third calendar month almost all of its staff are still forced to work from home as IT specialists try to repair the damage.

The organisation has managed to keep publishing both in print and online (print has been more of a challenge and The Observer printed one page twice on Sunday due to old systems being used). But the ransomware attack – in which a criminal gang partially disabled its computer systems and stole data in the hope of extracting a ransom payment – is likely to cost the company millions of pounds in repairs and possible fines. The issue of whether it paid a ransom remains unanswered.

ADVERTISEMENT

The Guardian faces some tough questions about the efficacy of its online security, which is currently the subject of an investigation by the Information Commissioner’s Office. Employees’ bank details are among the data accessed by the hackers, leaving many workers anxious about fraud.

The fact that such a high-profile organisation has fallen victim to cybercrime has also drawn attention to the organised gangs that are now targeting British firms on an industrial scale.

Modus operandi

Alarm bells first started ringing at The Guardian’s offices on the evening of Dec 20, and by the early hours of the next day executives were certain they had fallen victim to a ransomware attack. The culprit, they discovered, had gained access to the company’s computer network using a “phishing” email, which typically tricks an employee into clicking an attachment that contains a bug.

The Guardian has released little detail about what its investigation has found, and some employees have complained about a lack of transparency from executives. One said staff were “incredulous” at the paucity of information being shared by the company with employees who are themselves victims of the attack.

Don Smith, vice president of research at the cybersecurity firm Secureworks, knows the criminals’ modus operandi inside out.

“Typically the criminals will spend about five days inside a company’s system once it has been compromised,” he says. “They will explore the network, go deeper and deeper into it, and only then will they show their hand by encrypting parts of it and possibly stealing data.

“There will then be a ransom note delivered onto each computer and it will typically say they have a certain number of days to pay, with an amount that is generally demanded in cryptocurrency such as Bitcoin.”

Mr Smith said ransoms range from hundreds of thousands of pounds to more than £10 million in the most extreme cases. If companies pay up, the gangs will return or destroy the data they have stolen and provide the electronic keys to unencrypt the computer systems. If victims refuse to pay, they are left on their own to repair the damage, and run the risk of data being leaked onto the internet, though Mr Smith says that is rare, and if no payment is made the gangs often simply move on to their next victim.

The Guardian has refused to say whether any ransom money was paid, telling The Daily Telegraph that: “We are following the advice of external security experts not to comment on this matter.”

It has, however, confirmed that employees’ personal details, including bank details, national insurance numbers, salary and passport details, had been stolen. It is the loss of this sensitive data that could result in a fine from the ICO, which has the power to impose penalties of up to £17.5 million, or 4 per cent of annual global turnover, whichever is higher. Last year the construction group Interserve was fined £4.4 million after hackers stole the personal and financial information of up to 113,000 employees. The Guardian hack is also being investigated by the police.

‘The Guardian is an unusual victim because it is high profile’

The issue of whether or not The Guardian paid a ransom is not the only question facing its chief executive Anna Bateson and editor-in-chief Katharine Viner. Unlike several other media organisations, including The Telegraph, Guardian Media Group is not a member of the National Cyber Security Centre (NCSC) media working group, which shares information and updates about possible threats to media firms.

The Guardian said last night that “we participate in a range of industry bodies in which cyber threat analysis is shared on an ongoing basis”.

There have also been accusations that its own IT staff had warned that its systems were vulnerable and needed updating. Asked directly whether this was true, a Guardian spokesman said: “We have strong information security controls in place which are regularly examined and tested by internal and external experts. We have invested significantly in this area of the business in recent years and will continue to do so in the future as we learn the lessons of this incident.”

Then there is the question of whether The Guardian was deliberately targeted by a hostile state. In common with other Western media organisations, The Guardian has been a critic of Russia’s war in Ukraine. The hacking group Killnet, thought to be funded by Russia’s military intelligence service the GRU, is just one group known to have attacked pro-Ukraine media organisations in other countries.

Last week the NCSC, which is part of GCHQ, publicly issued an advisory statement sharing details about “malicious” phishing campaigns against “specific targets”, including journalists, by groups including the Russian-based Seaborgium.

The Guardian has said it does not believe it was targeted because of its status as a news organisation, but that it was instead caught up in the gangs’ dragnet of any and all potential victims.

Mr Smith, whose firm is one of only a handful approved by the NCSC for helping organisations with “networks of national significance”, such as government departments, agrees.

“If you’re a criminal gang the last thing you want is to draw attention to yourself,” he said. “The Guardian is an unusual victim because it is high profile.”

The vast majority of gangs, Mr Smith says, are from Eastern Europe, particularly Russia and Ukraine, to the extent that attacks noticeably drop off during Orthodox church religious holidays. A small number of recent attacks have also been traced to Iran. Investigators do not believe most attacks are state-sponsored, though in the case of Russia and Iran the gangs will only be able to operate if the state is willing to turn a blind eye.

Rebuilding is a costly business

While some companies manage to restore their systems within days of a cyber attack, The Guardian is still in the process of fixing the damage six weeks on. The company is understood to be restoring its IT functions one by one, checking each one for any potential bugs left by the hackers before they risk getting them back online. Some equipment is likely to have been replaced altogether, some of which may not be immediately available (the lead time on some specialist IT equipment is currently nine months).

The Guardian also believes its office Wi-Fi has been compromised, hence the reason staff are not even returning to the office to work from their own laptops. In a virtual staff meeting yesterday, workers were told that all of their mobile devices – laptops, phones and tablets – must be screened before they are allowed back in the building. A phased return of staff is about to begin, which is expected to take the rest of February to complete.

Ransomware attacks are big business for the world’s criminals. Last week the US Department of Justice smashed a crime group known as Hive, which had racked up more than 1,500 victims in more than 80 countries who paid out a combined total of more than $100 million (£81 million) in ransoms.

The cost of hiring specialists and consultants to rebuild compromised IT systems can run to 10 times the amount of ransom demanded, regardless of whether a ransom is paid. A cyber attack on Hackney Council in London in 2020 cost the council £12.2 million to fix.

Two in five companies in the UK have reported successful or attempted cyber attacks in the past year. Almost one in three businesses and a quarter of charities suffering attacks said they now experience breaches or attacks at least once a week.

Staff at The Guardian who are concerned about their personal data falling into the hands of criminals have been offered support from the data analytics firm Experian after The Guardian acknowledged the “potential” for the data to be combined and used for identity fraud.

In an email to staff, HR director Suzy Black warned that a “full, detailed analysis” of the attack is “technically complex” and could take “months”. Staff might face a long wait for answers from their company about what went wrong.