The cybersecurity company Proofpoint described the numerous campaigns it claims were run by state-sponsored and state-aligned hacking groups against media professionals in a blog post on Thursday.
In order to gain access to information deemed valuable by foreign governments, the hacking groups, also known as advanced persistent threat (APT) actors, either impersonated or specifically targeted journalists.
The blog claims that “a successful, well-timed attack on a journalist’s email account could provide insights into sensitive, developing stories and source identification.” “A compromised account could be used to spread false information or pro-state propaganda, disseminate false information in the midst of a pandemic or war, or exert political influence,” according to the report.
The state interests of nations like China, North Korea, Iran, and Turkey are thought to be shared by the APT actors that Proofpoint is keeping an eye on. Others timed their attacks around significant political events in the United States, while some simply targeted journalists for negatively portraying their nations.
Phishing emails intended to steal the login information for journalists’ email accounts were the most popular method of targeting. According to Proofpoint, since the beginning of last year, one APT actor, commonly known as TA412 or Zirconium, and thought to be connected to China, has carried out a number of reconnaissance phishing campaigns.
According to reports, Zirconium frequently employs web beacons or tracking pixels in emails to ascertain whether an account is active and gather details about the target’s web browser and operating system. Between January and February 2021, Proofpoint claims to have observed a total of five different campaigns. Prior to the attack on the U.S. Capitol on January 6, the cybersecurity firm claims it noticed an increase in the targeting of journalists in Washington, D.C.
A few months later, in August 2021, the APT actors allegedly started acting again, this time concentrating on journalists covering Chinese-related cybersecurity, surveillance, and privacy issues. Following the Russian invasion of Ukraine in February, the efforts resumed. It was discovered that additional APT actors with ties to China were sending malicious documents to journalists in order to infect them with malware.
American journalists were actively targeted by North Korea. After a particular media outlet published an article criticizing North Korean leader Kim Jong-un, Lazarus-affiliated APT actors reportedly conducted reconnaissance against it. In their phishing emails, the hackers advertised links to fake job listings that, when clicked, gave the APT actors access to information on the victim’s device, including their public IP address and operating system, for use in further exploitation. Journalists’ social media pages were also targeted.
Proofpoint also blamed APT actors associated with Turkey who have been attacking journalists’ social media accounts, particularly those on Twitter, since the year’s beginning. Attacks frequently involve phishing attempts to obtain a user’s login information. In order to target academics and foreign policy specialists, the hackers were even charged with pretending to be journalists.
When a journalist approaches you for an interview about a subject you are an expert in, there is an innate sense of intrigue. The blog notes that it is common for people to ignore or overlook warning signs that an opportunity may not be entirely legitimate because of the allure of having research featured in the media. “APT actors are using this social engineering technique to successfully exploit people’s desire for recognition as they target academics and foreign policy experts globally, probably in an effort to access sensitive information.”
Additionally, several APT actors allegedly connected to Iran were mentioned in Proofpoint’s analysis. Two organizations known as Charming Kitten and Tortoiseshell are charged with frequently impersonating journalists from illustrious publications like Fox News and the Guardian, among others. The majority of the attacks appeared to be focused on gathering login information.
“Targeting journalists and media organizations is not novel,” Proofpoint writes in closing. “APT actors, regardless of their state affiliation, have and will likely always have a mandate to target journalists and media organizations and will use associated personas to further their objectives and collection priorities.”
Proofpoint advises journalists to exercise caution when checking emails or accessing login pages, especially those who cover foreign policy in relation to nations like China or North Korea.