Pierluigi Paganini May 13, 2024

A group of hackers that defines itself as “first-class Russian hackers” claims the defacement of hundreds of local and regional British newspaper websites.

A group claiming to be “first-class Russian hackers” defaced numerous local and regional British newspaper websites owned by Newsquest Media Group. The group defaced the home pages of the targeted websites and posted the message “PERVOKLASSNIY RUSSIAN HACKERS ATTACK.”

The following image shows an archived version of the East Lothian Courier, which is one of the impacted newspapers, that was published by Reported Future News.

Newsquest Media Group Limited is the second-largest publisher of regional and local newspapers in the United Kingdom. It is owned by the American mass media holding company Gannett. It has 205 brands across the UK, publishing online and in print (165 newspaper brands and 40 magazine brands) and reaches 28 million visitors a month online and 6.5 million readers a week in print. Based in London, Newsquest employs a total of more than 5,500 people across the UK.

Local media websites in the UK are vulnerable to cyber attacks, threat actors can target them to spread fake news.

In August 2020, security experts from FireEye uncovered a disinformation campaign aimed at discrediting NATO by spreading fake news content on compromised news websites.

“The operations have primarily targeted audiences in Lithuania, Latvia, and Poland with anti-North Atlantic Treaty Organization (NATO) narratives, often leveraging website compromises or spoofed email accounts to disseminate fabricated content, including falsified correspondence from military officials” reads the report published by FireEye.

According to FireEye, the campaign tracked as GhostWriter, has been ongoing since at least March 2017 and is aligned with Russian security interests.

Unlike other disinformation campaigns, GhostWriter doesn’t spread through social networks, instead, threat actors behind this campaign abused compromised content management systems (CMS) of news websites or spoofed email accounts to disseminate fake news.

The attackers used to replace existing legitimate articles on the sites with the fake content, instead of creating new posts.

The attackers were spreading fabricated content, including falsified news articles, quotes, correspondence, and other documents designed to appear as coming from military officials and political figures in the target countries.

According to the experts, the campaign primarily targeted audiences in specific states members of the alliance, including Lithuania, Latvia, and Poland.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Russian hackers)