INDIGO RUST Campaign Hits U.S. Newsrooms With Adversary-in-the-Middle Phishing, CISA to Issue FLASH Alert

The Campaign

A previously unreported cyberespionage group, dubbed INDIGO RUST by the defensive researchers tracking it, has spent at least two weeks harvesting credentials from journalists and editors at major American news organizations through an adversary-in-the-middle phishing kit, according to two incident responders at a Fortune 500 media firm and a federal cybersecurity contractor familiar with the investigation. The activity was first detected on December 16, 2025, after a reporter at a national newspaper attempted to log in to a fake single sign-on page that mirrored the organization's Okta portal down to the company logo and two-factor authentication prompt, the incident responders said.

The phishing kit intercepts usernames, passwords, and time-based one-time passcodes in real time, allowing the attackers to reuse the captured session tokens before the codes expire, the responders said. At least four large broadcast networks, two wire services, and three newspaper groups have observed related login attempts or confirmed token theft since mid-December, according to a CISO briefed on the activity. The fake pages are hosted on domains registered through a reseller in Iceland and routed through a content delivery network with points of presence in Germany and Singapore, the CISO said.

The operation relies on spear-phishing emails that appear to come from an internal IT help desk and direct recipients to update their credentials before a fictitious January 6 deadline. The emails reference a real internal project name in at least two cases, suggesting the actors conducted reconnaissance against public job postings and staff directories, the federal contractor said. One malicious domain identified in the campaign, which the contractor declined to name publicly, was registered on December 11, 2025, for $12.99 through a reseller that accepts cryptocurrency.

Sources and Attribution

Two U.S. officials familiar with the matter said the FBI's National Security Branch began notifying affected outlets on January 2, 2026, after a defense contractor shared network logs that tied the phishing kit to infrastructure used in a 2024 campaign against European government press offices. The officials said CISA hosted an emergency briefing on January 3 at 10:00 a.m. Eastern at its Arlington, Virginia, operations center for representatives of at least nine media organizations. The meeting included analysts from the FBI's Cyber Division and the Office of the Director of National Intelligence, one official said.

The federal cybersecurity contractor said the kit shares code-level similarities with tools used by a group tracked publicly by private-sector analysts as a Chinese state-sponsored actor, though the contractor cautioned that the evidence is circumstantial and that INDIGO RUST may be a distinct cluster. The overlap includes a specific JavaScript obfuscation pattern and a method for proxying authentication requests through a Flask-based backend, the contractor said. A senior diplomat involved in allied cyberdefense discussions said European counterparts plan to release a parallel advisory by January 8 naming the same infrastructure.

The financial impact is already visible. One affected newspaper chain has spent roughly $340,000 on emergency identity resets, endpoint forensics, and outside counsel since December 28, according to a congressional aide briefed on the company's incident response. A broadcast network has retained a third-party firm at a projected cost of $1.2 million to review six months of email access logs, the aide said. No ransomware has been deployed, and no outlet has paid a ransom, the two incident responders emphasized.

Defensive Response and What Comes Next

CISA is expected to release a FLASH alert on January 5 or January 6 describing the indicators of compromise and urging newsrooms to enforce phishing-resistant multifactor authentication, such as FIDO2 security keys, for all publishing and email systems, the U.S. officials said. The alert will also recommend that media companies review DNS logs for lookalike domains registered after November 1, 2025, and disable legacy authentication protocols that do not support modern token-binding requirements, one official said.

The defensive ask from researchers is direct: replace app-based one-time passcodes with hardware keys, segment editorial networks from corporate systems, and train staff to verify IT requests through a second channel before entering credentials. The incident responders said they have shared a list of roughly 45 suspicious domains with the FBI and expect the number to grow as more outlets review their logs. The CISO said one newsroom discovered the campaign only after a journalist noticed that a password-reset link led to a URL with an extra hyphen in the company name.

The next 48 to 72 hours will test whether the affected organizations can revoke compromised sessions before INDIGO RUST shifts from credential theft to email exfiltration or supply-chain access, the federal contractor said. Watch for a joint CISA-FBI advisory, expected by midweek, and for potential follow-on activity tied to the January 6 date referenced in the lure emails. Congressional staff on the House Homeland Security Committee have scheduled a classified briefing for January 7 to review the scope of the intrusion, the congressional aide said.