Several journalists' email accounts were compromised in a targeted intrusion likely linked to a foreign government.
What happened
The Washington Post has confirmed that multiple staff email accounts were compromised in a cyberattack discovered on Thursday evening. On Sunday, June 15, an internal memo from Executive Editor Matt Murray informed employees of a “possible targeted unauthorized intrusion” into the organization’s Microsoft email system. The breach reportedly impacted a limited number of journalists.
The publication has launched an investigation into the incident, which is believed to have been carried out by a foreign government, based on early indicators.
Going deeper
Sources told The Wall Street Journal that the affected journalists cover sensitive topics, including national security, economic policy, and China. While the Washington Post has not disclosed further details, the attack fits a common pattern seen in state-sponsored campaigns, particularly those linked to Chinese advanced persistent threat (APT) groups.
These groups have a history of targeting Microsoft Exchange servers. In 2021, Chinese hackers were linked to widespread intrusions across NATO members and U.S. government agencies. In 2024, Microsoft reported that APTs were actively exploiting a privilege escalation vulnerability in Exchange as a zero-day for NTLM relay attacks.
Groups such as APT27, Bronze Butler, and Calypso have been observed using similar tactics in past espionage campaigns.
What was said
The Washington Post has not released public statements beyond the internal memo. Microsoft, which provides the affected email infrastructure, has not commented on the specific breach. Executive Editor Matt Murray stated in the memo that only a limited number of accounts were compromised, and the investigation is ongoing.
The big picture
State-backed targeting of journalists, particularly those reporting on geopolitical and security topics, reflects the operational interest in gaining access to media communications. Email platforms remain a frequent entry point due to the volume of sensitive information they contain. With continued exploitation of both known and new Exchange vulnerabilities, media organizations covering international issues face growing pressure to strengthen cybersecurity practices.
FAQs
Why would state actors target journalists?
Journalists often interact with government sources, researchers, and confidential informants. State-sponsored hackers may seek early access to unpublished stories, source identities, or geopolitical insights.
What makes Microsoft Exchange a common target?
Exchange’s widespread use and history of vulnerabilities make it attractive to attackers. Its access to email, calendar, and contact data creates a central point for high-value information.
How can media organizations improve email security?
Adopting multi-factor authentication, patching vulnerabilities promptly, and conducting regular phishing simulations can reduce risk. Some newsrooms also isolate high-risk accounts with additional monitoring.
What is an APT group?
An Advanced Persistent Threat (APT) group is typically a state-sponsored hacking team that conducts long-term, targeted cyber operations for intelligence gathering or disruption.
Are journalists typically notified when their accounts are breached?
Yes. Responsible organizations notify affected individuals once a breach is detected, especially when sensitive communication or reporting work is potentially compromised.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Farah Amod
