Cyber Incident Victim: Newsquest Media Group
Date:
May 2024
Location:
United Kingdom
Summary
A group claiming to be "first-class Russian hackers" defaced numerous British local newspaper websites operated by Newsquest Media Group, replacing content with a fabricated story titled "PERVOKLASSNIY RUSSIAN HACKERS ATTACK." The breach likely exploited a centralized content management system, affecting potentially hundreds of sites, though no print editions were compromised. The defacement featured a Cyrillic byline and group branding but contained no substantive text in archived examples. While Russian or Belarusian actors like Ghostwriter have historically conducted similar information operations, no attribution was confirmed. All malicious content was subsequently removed, but the incident highlights cybersecurity vulnerabilities in UK local media ahead of national elections.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 12, 2024, a group identifying itself as "first-class Russian hackers" defaced multiple local and regional British newspaper websites operated by Newsquest Media Group. The attackers published a fabricated breaking news story titled “PERVOKLASSNIY RUSSIAN HACKERS ATTACK” across affected sites, though the content contained no substantive text. Archived versions showed the defacement consisted solely of the group’s self-proclaimed name in capital letters, a logo, and a byline attributed to “Дэниел Хопкинс” (Cyrillic for “Daniel Hopkins”). The scale of the incident suggested compromise of a central or shared content management system used by Newsquest, which owns over 250 local news brands and magazines, though the full scope of affected titles remained unconfirmed. No evidence indicated the story appeared in print editions. Newsquest did not publicly comment on the incident, and all defaced articles were removed from live websites shortly after publication, leaving only search engine cache results visible.
The incident highlighted cybersecurity vulnerabilities in UK local media infrastructure ahead of anticipated national elections. Historical context indicates similar website defacements and false story placements have been used in information operations, including activities attributed to the Belarusian-aligned Ghostwriter group (also tracked as UNC1151 and Storm-0257), though no attribution was established for this event. Ghostwriter’s known tactics include spearphishing journalists to compromise content management systems, followed by disseminating fabricated narratives to inflame geopolitical tensions. Parallels exist with an unattributed January 2024 incident where Czech news sites published false reports about an assassination attempt on Slovakia’s president. The Newsquest breach caused no confirmed dissemination of narrative content beyond the placeholder headline and branding, but demonstrated operational access to critical media distribution channels. Industry analysts noted such compromises could undermine public trust in legitimate news sources during sensitive political periods.