Cyberattack on News Corp, Believed Linked to China, Targeted Emails of Journalists, Others

News Corp said it notified law enforcement and hired cybersecurity firm Mandiant Inc. to support an investigation. A representative of the Federal Bureau of Investigation said late Friday that it was aware of the incident.

“Mandiant assesses that those behind this activity have a China nexus, and we believe they are likely involved in espionage activities to collect intelligence to benefit China’s interests,” said David Wong, vice president of incident response at Mandiant.

News Corp disclosed the hack in a securities filing Friday, saying its preliminary analysis indicates that data was taken.

A spokesman for the Chinese Embassy in Washington said that China is a staunch defender of cybersecurity and “firmly opposes and combats cyberattacks and cyber theft in all forms.” The spokesman, Liu Pengyu, said that identifying the source of cyberattacks is technically complex.

“We hope that there can be a professional, responsible and evidence-based approach to identifying cyber-related incidents, rather than making allegations based on speculations,” Mr. Liu said.

In the staff memo News Corp said it believes the threat activity is contained. The company has been offering guidance to affected employees.

“We are committed to protecting our journalists and sources. We will not be deterred from our purpose—to provide uniquely trusted journalism and analysis. We will continue to publish the important stories of our time,” said Almar Latour, chief executive of Dow Jones and publisher of The Wall Street Journal.

The company’s investigation indicates that systems housing financial and customer data, including subscriber information, weren’t affected, according to the securities filing and a person familiar with the matter.

The investigation detected that the intrusion appeared to date to at least February 2020, according to people briefed on the matter, and scores of employees were impacted. The hackers were able to access reporters’ emails and Google Docs, including drafts of articles, the people said. News Corp was still trying to determine the full extent of emails and documents that were accessed, the people said.

While the hackers accessed the Google system used by News Corp employees, there was no indication that they breached the system through a compromise at Google, said people briefed on the matter. Google’s own systems weren’t affected by the incident, a Google spokeswoman said.

Reporters who were affected by the hack and were briefed on it expressed concerns to company officials about protecting their sources’ identities. By Friday afternoon, many Journal reporters affected had been notified by company officials of specific documents that were believed to have been accessed.

The attackers appeared to be interested in a range of topics, including issues of importance to Beijing such as Taiwan and China’s Uyghur ethnic group, according to other people briefed on the matter and a review of some of the document target lists. Other areas of interest included draft Journal articles and notes about U.S. military troop activity, U.S. technology regulation related to China, and articles about President Joe Biden, Vice President Kamala Harris and senior White House officials.

The hackers also searched using keywords for emails related to traditional intelligence areas, including defense, one person familiar with the ongoing investigation said. Those searches in some cases appeared to be prompted by contemporary news developments. “They would come back periodically,” this person said.

Law-enforcement officials and cybersecurity experts say that journalists are often high-priority targets for hackers seeking to gain intelligence on behalf of foreign governments, because they speak to sources who might have valuable or sensitive information. Powerful surveillance tools have been used against journalists and human-rights activists.

U.S. authorities have accused China-based hackers for years of targeting a range of American businesses and government institutions. FBI Director Christopher Wray said this week that Beijing is running a “massive, sophisticated hacking program that is bigger than those of every other major nation combined.” The FBI has more than 2,000 active investigations related to allegations of Chinese-government-directed theft of U.S. information or technology, Mr. Wray said.

China has repeatedly denied allegations that it has carried out cyberattacks.

In 2013, Chinese hackers trying to monitor news coverage of China hacked into the Journal’s network, apparently aiming to spy on reporters covering China and other issues, the Journal reported. The New York Times had experienced a similar attack. At the time, a Chinese embassy spokesman condemned allegations of Chinese cyberspying and said Beijing prohibits cyberattacks.

In February 2020, China revoked the press credentials of three Journal reporters based in Beijing. China’s Foreign Ministry said the move was punishment for an opinion piece published by the Journal. The three journalists work for the Journal’s news operation, which operates with a strict separation from the opinion staff.

The following month, the Trump administration announced a personnel cap in the U.S. on four state-run Chinese media outlets. Later that March, China expelled from the country American journalists from multiple news organizations, including the Journal.

In November 2021, each country agreed to ease visa restrictions for the other’s reporters. The Journal was among a handful of U.S. outlets set to receive new press credentials for some staff.

—Robert McMillan and Jeffrey A. Trachtenberg

Write to Alexandra Bruell at [email protected], Sadie Gurman at [email protected] and Dustin Volz at [email protected]