INDIGO RUST Targets U.S. Broadcasters in Credential Theft Campaign, Responders Say

Campaign Hits Broadcast and Streaming Firms Since December

A cyber espionage group that two federal cybersecurity contractors have designated INDIGO RUST has stolen employee credentials and internal documents from at least four major U.S. broadcasters and streaming platforms since mid-December, according to two incident responders at a Fortune 500 firm and a CISO briefed on the investigation. The intrusions, which were first detected in late January, focus on procurement systems, content scheduling applications, and vendor portals that connect media companies to advertising and distribution partners.

The CISO, whose company provides security services to two of the affected broadcasters, said INDIGO RUST appears to be operating from infrastructure registered in Singapore and Hong Kong and routes traffic through residential proxy services to mask its origin. The group has used password spraying and stolen session cookies to bypass multi-factor authentication on cloud email tenants, the CISO said. No ransomware has been deployed, and no broadcasts have been disrupted, but the responders said the actors have maintained persistent access to at least one victim for at least seven weeks.

Two incident responders at a Fortune 500 firm said they have observed INDIGO RUST targeting organizations in the media sector since December 12, with a notable spike in activity on January 18 and January 19. The responders, who asked not to be named because they are not authorized to speak about client matters, said the group exploited weak or reused credentials at third-party help desk vendors to gain initial access and then moved laterally into identity management systems.

The same responders said the group has shown a preference for Microsoft 365 environments and has used legitimate administrative tools, including Azure Active Directory and Intune, to avoid detection. They said INDIGO RUST typically operates during business hours in the victim's time zone, suggesting the actors work from a fixed operational schedule rather than an automated script.

Stolen Data Includes Schedules, Contracts, and Ad Revenue Figures

The attackers have exfiltrated internal content calendars, advertising rate cards, and draft talent contracts, according to a federal cybersecurity contractor familiar with the investigation. The contractor said the theft of advertising revenue data appears to be a primary objective, with actors collecting quarterly earnings presentations, upfront sales figures, and programmatic ad platform credentials that could be used to manipulate auction pricing or gather competitive intelligence.

The same contractor said one victim lost documents tied to a planned merger announcement scheduled for late February. The documents included draft regulatory filings and internal board memos that had not been made public. The contractor said the affected company discovered the breach on January 29 and has retained outside counsel and a crisis communications firm with offices in Washington and Los Angeles.

A CISO briefed on the activity said INDIGO RUST's interest in media companies diverges from the more familiar pattern of Chinese espionage targeting defense and technology firms. The CISO said the campaign likely aims to support Beijing's efforts to understand Western information operations, advertising markets, and content moderation decisions ahead of the 2026 midterm elections. The CISO emphasized that attribution remains preliminary and is based on infrastructure overlaps with a cluster first reported by a private threat intelligence firm in November 2025.

The federal contractor said the group has also targeted public relations agencies that represent media clients, stealing press distribution lists and embargoed product announcements. Those agencies, three of which have been notified by law enforcement, hold privileged access to broadcaster content management systems and social media accounts.

Defensive Ask and What to Watch

Security teams at media companies should immediately audit third-party vendor access, rotate credentials for help desk and scheduling platforms, and require phishing-resistant multi-factor authentication for all cloud administrative accounts, the incident responders said. They also recommended reviewing sign-in logs for successful authentications from residential proxy networks and reviewing content management system access for accounts that log in outside normal business hours.

The responders said companies should specifically search for Azure AD sign-ins from Autonomous System Numbers associated with residential proxy providers and should revoke session tokens for any administrator who logged in from an unusual location between December 15 and January 31. They also advised broadcasters to segment vendor access so that help desk tools cannot reach content scheduling systems without a separate approval step.

The federal contractor said the Cybersecurity and Infrastructure Security Agency is expected to issue an alert to sector coordinating councils by February 7, though the agency may not name the affected companies. The contractor said CISA has scheduled a classified briefing for senior media executives on February 10 at the FBI's New York field office.

Watch for three signals over the next 48 to 72 hours: a coordinated disclosure by one or more broadcasters, a statement from CISA about cyber activity affecting the communications sector, or reporting by a major outlet confirming the breach at a specific network. If any of those occur, the full scope of the INDIGO RUST campaign is likely to become public by the weekend.