Threat Research Blog

Hacking the News: Global News Media Firms and Small Market Outlets In the Crosshairs of Cyber Threat Groups

Islamic State of Iraq and Syria (ISIS) militants, who are known for barbaric attacks and violent propaganda, have set their sights on news organizations. In April, “the Cyber Caliphate,” a group claiming to be affiliated with ISIS, took credit for disrupting the online presence and broadcasting capability of TV5Monde, a global French-language satellite television network. The group posted propaganda and the identities of French soldiers supposedly conducting military operations against ISIS on TV5Monde’s websites and social media accounts. The cyber operation allegedly disabled TV5Monde’s production and transmission system for several hours.[1] This incident may have been the first time a television station went off the air as a result of a cyber attack. It is a troubling signal. First, cyber threat groups are prepared to take down a news organization’s ability to broadcast. Secondly, it also serves as a warning to other news outlets about their security.

Threat groups, who we suspect operate from Russia and China or are associated with the Syrian government, have long targeted major news media organizations to support political and economic goals. What makes these ISIS-sympathizing actors different is that they are targeting news organizations of all sizes—hijacking major broadcasters, such as TV5Monde, as well as the social media accounts and websites of small market newspapers and televisions stations, such as the Albuquerque Journal and WBOC in Salisbury, Maryland. The breadth of these recent incidents demonstrates that global news organizations are not the only ones at risk in an era where modern production and broadcasting systems are on the same network.

Russia and China Have a History of Compromising News Outlets

Russia and China-based cyber threat groups have compromised the networks of news organizations to collect intelligence on upcoming stories, identify journalists’ sources, enforce censorship, and silence dissent as part of their strategy to control their respective country's national image. Russia considers regional and international news as legitimate spaces to defend its interests as part of the country’s information warfare strategy. For example, we profiled a suspected Russian group, APT28, who carefully crafted malware-laden emails to compromise the email of a journalist who reports on the Caucasus.

China-based groups have exploited news organizations’ networks to obtain early warning about stories critical of the senior leaders, major Chinese firms, the government, and the Communist Party. In early 2013, The New York Times and The Wall Street Journal revealed that China-based threat groups had monitored them, most likely to identify sources used in articles perceived as damaging to the country’s reputation.[2][3] The New York Times also reported that Bloomberg and The Washington Post suffered similar incidents.[4][5] Chinese authorities have also denied visas and raided the offices of Bloomberg.[6] China likely considers cyber operations on news organizations as a valuable tool to manipulate public opinion during a crisis.  In November 2014, a suspected threat group based in China disrupted access to websites associated with Hong-Kong pro-democracy protests and a news media company critical of the Chinese government.[7]

Hacktivists Hijack Websites and Social Media To Demonstrate their Reach Outside of Syria and Build Audiences for their Propaganda

Hacktivists supporting the Syrian government have defaced news organizations’ sites to demonstrate their reach outside of the country, punish news outlets for perceived reporting bias, and recruit supporters. International news media companies are enticing targets because of the size of their audience and global influence. Some their incidents have had wider effects. For instance, the Syrian Electronic Army (SEA) hijacked the Twitter account of The Associated Press in April 2013. The group posted that an explosion at the White House had injured President Barack Obama. The incident reportedly triggered a brief $136 billion fall in the U.S. stock market.[8]

ISIS Sympathizers Target News Organizations of All Sizes, Making them Difficult to Predict and Deter

Unlike the suspected state sponsored groups operating from China and Russia ISIS-sympathizing hackers are a different type of cyber actor willing to target small market outlets in addition to global news mainstays. During the past year, ISIS-sympathizing hackers have gone from hijacking the social media account of a local television station in Maryland to conducting a more disruptive incident last month at the global television network, TV5Monde.

This scattershot targeting probably reflects their lack of a leader and disorganization. ISIS-sympathizing hackers likely are dispersed around the globe and meet easily online to plot their next cyber operation. ISIS leaders in Iraq and Syria probably do not issue orders that dictate the sympathizers’ cyber targets in the way that we believe more centralized, resourced threat groups operate. In fact, these hackers’ operations have seemingly caught the organizers of ISIS social media accounts off guard. For instance, ISIS social media accounts were late to react to the TV5Monde incident but later in the day lauded the operation.[9] The ISIS-sympathizing hackers appear to operate asymmetrically just like their counterparts on the battlefield. They leverage widely available techniques to conduct online operations just as ISIS fighters in Iraq or Syria often launch improvised explosive device attacks with common components. Their disorganization makes it difficult to predict their next target, unlike the more calculated operations of nation state sponsored actors.

News media organizations are enticing targets for terrorist sympathizers and national governments. Those outlets with inadequate security, from the largest globe-spanning operations to small market news stations, could find themselves as the next unsuspecting victim of ISIS-sympathizers. Additionally, news organizations should consider that the well-resourced cyber threat groups in Russia and China could be capable of much more devastating operations. Modern news organizations’ broadcast capabilities may be integrated on a single network that accesses their video production systems, websites, social media, and satellite feeds. That network could be vulnerable to cyber operations intending to disrupt an outlet's ability to broadcast. A hacked station that is taken off the air undermines a key revenue source, as its advertisers may loose faith in the broadcasters’ ability to deliver their messages and viewers may question the quality of the broadcasted information. These incidents could have a chilling impact on press freedoms if cyber threat groups believe that hacking the news is a viable means to shutdown their critics, even if they are overseas.   

Examples of Targeting of News Organizations Since 2013

Since 2013, several APT groups suspected to be based out of China and Russia, hacktivists supporting the Syrian government, and ISIS sympathizers have targeted news organizations. Some of these groups have a history of targeting of news organizations dating to before 2013.


Early 2014 to early 2015

Late 2014

Mid-2013 to late 2014


Early 2013

Threat Actor

Hacktivists claiming to be affiliated with the Islamic State of Iraq and Syria

Suspected China-based threat groups

Pro-Syrian government hacktivists

The Russian-based APT28

Suspected China-based APT groups

Notable Targets

Newsweek, Le Monde, Albuquerque Journal and WBOC (a local television station in Maryland) social media accounts

TV5 Monde social media accounts and broadcasting capabilities[[10],[11],[12]]

Hong Kong-based pro-democracy websites

Hong Kong-based news media company, Next Media[[13],[14],[15]]

The Washington Post, The New York Times, Vice News websites

CNN, CBS News, The Associated Press, TIME Magazine, Guardian, BBC social media accounts


Georgian journalist covering the Caucasus[[23]]


The New York Times

The Wall Street Journal

The Washington Post






Deface websites, hijack social media and disrupt broadcasts to demonstrate the group’s reach into the West and generate potential recruits

Disrupt access to websites through a distributed denial of service attack to silence criticism and dissidents during a political crisis (Hong Kong pro-democracy protests)

Deface websites and hijack social media to demonstrate the group’s reach into the West, generate potential recruits, and punish outlets perceived reporting bias

Monitor journalists’ communications to identify sources and seek early warning for damaging stories

Monitor journalists’ communications to identify sources and seek early warning of damaging stories

[1] Abi-Habib, Maria and Sam Schechner. “French Network TV5 Monde Hacked by Group Claiming to Be Islamic State,” The Wall Street Journal, 9 April 2015,

[2] Perlroth, Nicole, “Hackers in China Attacked The Times for Last 4 Months,” The New York Times, 30 January 2013,

[3] Barrett, Devlin, Siobhan Gorman, and Danny Yadron, “Chinese Hackers Hit U.S. Media,” The Wall Street Journal, 31 January 2013,

[4] Perlroth, Nicole, “Washington Post Joins List of News Media Hacked by the Chinese,” The New York Times, 1 February 2013,

[5] Perlroth, Nicole, “Wall Street Journal Announces That It, Too, Was Hacked by the Chinese,” The New York Times, 31 January 2013,

[6] Peter Elkind and Scott Cendrowski, “Exclusive: Chinese authorities conduct unannounced 'inspections' of Bloomberg News bureaus," Fortune, 2 December 2013.

[7] FireEye. “Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement.” November 3, 2014.

[8] Fisher, Max. “Syrian hackers claim AP hack that tipped stock market by $136 billion. Is it terrorism?” The Washington Post. 23 April 2013.

[9] “French officials investigate hack of television network,” Interview by Audie Cornish, All Things Considered, NPR, 9 April 2015,

[10] Alba, Alejandro, “FBI investigates ISIS hacker group Cyber Caliphate following series of hacks on news organizations in Maryland, Albuquerque,” New York Daily News, 6 January 2015,

[11] “Newsweek Twitter account apparently hacked by pro-ISIS group,” CBS News, 10 February 2015.

[12] Barajas, Joshua, “Twitter account of French newspaper ‘LeMonde’ hacked,” The PBS News Hour website, 20 January 2015,

[13] FireEye. “Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement.” November 3, 2014.

[14] Gough, Neil. “For Jimmy Lai, Hong Kong’s Rebellious Tycoon, Next Battle May Be in Court,” New York Times, 11 January 2015,

[15] Seals, Tara,  “DDoS Against Hong Kong’s Pro-Democracy Movement Linked to Chinese APT Actors,” Infosecurity Magazine, 3 November 2014,

[16] Wyatt, Daisy, “Syrian Electronic Army hackers attack Guardian Twitter accounts,” Independent, 30 April 2013,

[17] Tsukayama, Hayley, “Syrian Electronic Army attack suspected on New York Times; group also claims Twitter hack,” The Washington Post, 27 August 2013.

[18] “Syrian hacking group places pop-up message on websites,” BBC News, 28 November 2014,

[19] Greenberg, Adam, “ hacked by Syrian Electronic Army,” SC Magazine, 11 November 2013.

[20] Winograd, David, “CNN Sites Get Hacked,” TIME, 23 January 2014,

[21] Greenberg, Adam, “Syrian Electronic Army hacks Time over Person of the Year poll,” SC Magazine, 2 December 2013,

[22] “CBS News: Our Twitter Accounts Were Hacked,” Reuters, 20 April 2013,

[23] FireEye. “APT28:  A Window Into Russia’s Cyber Espionage Operations?” 27 October 2014.

[24] Perlroth, Nicole, “Hackers in China Attacked the Times for Last 4 Months,” The New York Times,  30 January 2013,

[25] Perlroth, Nicole, “Wall Street Journal Announces That It, Too, Was Hacked by the Chinese,” The New York Times, 31 January 2013,

[26] Perlroth, Nicole, “Washington Post Joins List of News Media Hacked by the Chinese,” The New York Times, 1 February 2013,

[27] Barrett, Devlin, Siobhan Gorman, and Danny Yadron, “Chinese Hackers Hit U.S. Media,” The Wall Street Journal, 31 January 2013,