Cyber Incident Victim: The Sun
Date:
May 2018
Location:
United Kingdom
Summary
Russian-linked IP addresses attempted to breach The Sun's network, prompting collaboration with the UK's National Cyber Security Centre to defend against malware campaigns associated with groups like Cozy Bear, Berserk Bear, and Pawn Storm. While no system breaches occurred, the parent company confirmed similar targeting of other UK news organizations' email addresses and initiated enhanced staff training to identify phishing attempts. The incident occurred amid heightened tensions between Russia and the UK, with the newspaper emphasizing its proactive cybersecurity measures due to regular handling of confidential sources.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 3 actors | Available to members | Available to members |
Description
In early May 2018, The Sun newspaper detected attempts by Russian-linked IP addresses to connect to its internal computer networks. News UK Chief Technology Officer Christina Scott confirmed these incidents in an internal email circulated to staff, advising them about the cybersecurity threat. The email disclosed that The Sun's parent company was collaborating with the UK National Cyber Security Centre (NCSC) to defend against three specific Russian state-sponsored hacking campaigns: Cozy Bear, Berserk Bear, and Pawn Storm. These groups had previously been implicated in high-profile attacks, including the 2016 Democratic National Committee breach (Cozy Bear), intrusions targeting US and European energy firms via malicious Word documents (Berserk Bear), and cyber operations against French President Emmanuel Macron’s 2017 campaign (Pawn Storm). Scott noted that other UK news organizations were similarly targeted through email-based attacks, though no successful breaches of News UK’s systems occurred. A company spokesperson emphasized that existing cybersecurity measures proved effective against all intrusion attempts.
The incident unfolded amid heightened UK-Russia tensions following the March 2018 Salisbury poisoning of former Russian spy Sergei Skripal, which the UK government attributed to Russia. Concurrently, British media regulator Ofcom had launched multiple investigations into Kremlin-backed RT (Russia Today) over its Salisbury coverage. In response to the hacking attempts, The Sun initiated enhanced cybersecurity training for reporters and editors, focusing specifically on identifying phishing techniques—a common infiltration method used by threat actors. The newspaper characterized this training as standard practice for news organizations handling confidential sources, while maintaining that their systems remained uncompromised throughout the incident. No operational disruptions, data losses, or unauthorized disclosures were reported as a direct consequence of the attack attempts.