'Russian' hackers deface potentially hundreds of local British news sites

A group declaring itself to be “first-class Russian hackers” defaced potentially hundreds of local and regional British newspaper websites on Saturday.

The group published a breaking news story titled “PERVOKLASSNIY RUSSIAN HACKERS ATTACK” on the sites of titles owned by Newsquest Media Group. There is no evidence the story was reproduced in print.

That so many Newsquest titles were affected suggests a central or shared content management system may have been breached, but there is no evidence that the hackers were actually Russian.

While cyber incidents affecting media outlets have been linked to Russian and Belarusian threat actors — particularly a group tracked as Ghostwriter — such threat actors have mostly been observed publishing false stories to inflame tensions.

The news story published across Newsquest sites did not appear to contain any text at all according to an archived version of the East Lothian Courier.

Instead it featured the claimed name of the group in capital letters, a logo, and a byline attributed to “Дэниел Хопкинс” in the Cyrillic alphabet, or “Daniel Hopkins” in English.

Newsquest is the second-largest publisher of local newspapers in Britain, with what it describes as more than 250 local news brands and magazines. It is not clear whether all of Newsquest’s titles were affected. The company could not be reached for comment.

Although there are numerous results on Google Search for “PERVOKLASSNIY RUSSIAN HACKERS ATTACK” on Newsquest titles, none of these stories is still live.

The incident may raise concerns about the cybersecurity of local media groups in the United Kingdom ahead of an expected election later this year.

The publication of false stories on hacked legitimate news sites have previously been described as information operations by Mandiant, and attributed to a notorious group of hackers affiliated with the Belarusian government.

The group, tracked as Ghostwriter, as well as UNC1151 and Storm-0257, is known to target journalists with spearphishing emails in order to gain access to their organization’s content management systems.

Ghostwriter  has previously targeted Ukrainian military personnel and Poland's government services before. The group mostly carries out phishing operations that steal email login credentials, compromise websites and distribute malware.

Earlier this year, in an incident which has not yet been attributed to any particular group, a Czech news service's website was hacked and a false story published. It falsely reported that an assassination attempt had been made against the newly elected Slovak president by Ukrainian officials, while misspelling the Slovak president’s name.