INDIGO RUST Targets Newspaper Chains in Credential-Harvesting Campaign, CISOs Told

Attackers Scan Chains in Late January

A previously unreported cyber-espionage group has been harvesting credentials from newspaper and broadcast chains since late January in a campaign that private incident responders have designated INDIGO RUST, according to two incident responders at a Fortune 500 firm. The responders said the activity had targeted at least five media organizations, including a Midwestern newspaper group, a Southeastern broadcast group, a national magazine publisher, and two local television station owners. The campaign focuses on externally facing remote-access portals and content-management systems, the responders said.

The two incident responders, who were not authorized to speak publicly, said they had observed INDIGO RUST probing login pages and attempting bulk credential reuse against cloud-hosted publishing platforms between Jan. 27 and Feb. 2. A CISO briefed on the activity at a Feb. 3 industry call said the group appeared to be gathering credentials for a larger operation rather than immediately deploying ransomware. The CISO, who requested anonymity because the call was under Chatham House Rule, said the attackers had sent at least one $2.4 million ransom demand to a targeted chain on Feb. 2 but had not yet received payment.

The timing of the campaign has alarmed election-security officials because local broadcasters and newspapers handle candidate filings, voter guides, and advertising contracts in the run-up to the 2026 primaries, the CISO said. The CISO said INDIGO RUST had not yet been observed attempting to alter published content, but the group had accessed internal editorial calendars and advertising rate cards at two organizations. The responders said they had not seen evidence of voter database access.

A federal cybersecurity contractor familiar with the investigation said CISA and the FBI had opened a joint inquiry on Jan. 31 and had begun sharing defensive guidance with affected publishers through the Multi-State Information Sharing and Analysis Center. The contractor, who spoke on condition of anonymity to discuss an active investigation, said agencies had not attributed the campaign to a foreign government but were tracking it under the temporary name INDIGO RUST at the request of the private sector partners who first reported it.

Defensive Ask: Rotate, Segment, and Hunt

The CISO and the federal contractor said the most urgent defensive step is a forced rotation of all credentials tied to content-management systems, remote-access platforms, and cloud email accounts used by editorial and advertising staff. The responders said organizations should also enable phishing-resistant multifactor authentication on every externally exposed service, including virtual private networks, webmail, and publishing tools. Segmenting broadcast networks from corporate information-technology networks remains essential, the CISO said, because INDIGO RUST has moved laterally from enterprise systems toward production environments in at least two incidents.

The two incident responders said they had advised clients to hunt for suspicious logins from residential internet service providers, unexpected access to file shares containing advertising contracts, and unauthorized creation of email-forwarding rules tied to accounts payable and human-resources mailboxes. The responders said INDIGO RUST had used legitimate remote-access tools rather than novel malware, making detection difficult for signature-based defenses. Behavioral analytics and privileged-access monitoring should be prioritized through at least the end of February, the responders added.

The federal contractor said CISA planned to publish an alert by Feb. 7 urging media sector organizations to review access logs for the last 60 days and to report any related activity. The contractor said the alert would include a sector-specific checklist and would be distributed through the Media and Entertainment ISAC, though it would not identify individual victim companies. The checklist is expected to cover five areas: inventory of external publishing tools, forced credential rotation, multifactor authentication enforcement, network segmentation between broadcast and business systems, and centralized logging for remote-access sessions. The FBI field offices in Atlanta, Chicago, and New York had begun outreach to regional publishers on Feb. 3, the contractor said.

What to Watch in the Next 72 Hours

The incident responders said the group could shift from credential harvesting to data theft or encryption within days if targets do not rotate exposed credentials. The CISO said at least one victim chain had already begun notifying employees of suspicious account activity and had taken its content-management system offline for maintenance on Feb. 3. The responders said they expected additional ransom demands to appear by Feb. 6 if the group maintains its current pace.

The Feb. 3 industry call included security leaders from Gannett, McClatchy, Lee Enterprises, and Hearst Television, according to a participant who requested anonymity. The participant said the group discussed a coordinated response and agreed to share indicators through a trusted broker rather than public channels. The CISO said the defensive ask is straightforward: treat every publishing and broadcast network as already exposed until credentials are rotated and MFA is enforced.

Major outlets are likely to confirm the campaign once CISA releases its alert or a victim discloses a breach. Watch for any statement from CISA, additional FBI field-office notifications, and whether media chains begin publicly reporting outages or forced password resets. The next 48 to 72 hours will determine whether INDIGO RUST escalates or whether the sectorwide defensive push blunts the operation.