Cybersecurity researchers say they have witnessed a “sustained effort” by nation-state hackers to compromise the accounts of journalists.
In a blog post on Thursday, the cybersecurity firm Proofpoint detailed the numerous campaigns it says were carried out by state-sponsored and state-aligned hacking groups against members of the media.
The hacking groups, referred to as advanced persistent threat (APT) actors, either impersonated or targeted journalists in order to access information deemed valuable by foreign governments.
“A well-timed, successful attack on a journalist’s email account could provide insights into sensitive, budding stories and source identification,” the blog states. “A compromised account could be used to spread disinformation or pro-state propaganda, provide disinformation during times of war or pandemic, or be used to influence a politically charged atmosphere.”
The APT actors monitored by Proofpoint are believed to be aligned with the state interests of countries such as China, North Korea, Iran, and Turkey. While some targeted journalists merely for painting their countries in a poor light, others timed their attacks around major political events in the U.S.
The most common method of targeting came in the form of phishing emails designed to steal the login credentials of journalists’ email accounts. Proofpoint states that one APT actor that is believed to be linked to China, commonly referred to as TA412 or Zirconium, has engaged in numerous reconnaissance phishing campaigns since early last year.
Zirconium is said to often use web beacons or tracking pixels in emails in order to determine whether an account is active while also learning information on the target’s web browser and operating system. In total, Proofpoint says it witnessed five separate campaigns between January and February 2021. The cybersecurity firm also says it noticed an uptick in the targeting of journalists in Washington, D.C., prior to the Jan. 6 attack on the U.S. Capitol.
The APT actors reportedly became active months later in August 2021, switching their focus to journalists focused on cybersecurity, surveillance, and privacy issues related to China. The efforts picked up once again in February after the Russian invasion of Ukraine. Others Chinese-linked APT actors were found to be sending journalists malicious documents in order to serve them malware.
North Korea was also active in targeting American journalists. APT actors known as Lazarus reportedly carried out reconnaissance against a specific media outlet after it published an article critical of North Korean leader Kim Jong-un. The hackers advertised links to fake job listings in their phishing emails, which when clicked would provide the APT actors with information on their device, such as their public IP address and operating system, for use in further exploitation. The social media accounts of journalists were also targeted.
Proofpoint further pointed the finger at APT actors aligned with Turkey that have been targeting the social media accounts of journalists, especially those on Twitter, since the beginning of the year. The attacks often involve phishing attacks that attempt to steal a user’s login credentials. The hackers were even accused of impersonating journalists in order to target academics and foreign policy experts.
“There is an inherent sense of intrigue when one is approached by a journalist to discuss an area of expertise. The allure of having research highlighted in the media is often a great motivator to overlook or disregard signs that this opportunity may not be entirely legitimate,” the blog notes. “This social engineering tactic successfully exploits the human desire for recognition and is being leveraged by APT actors wishing to target academics and foreign policy experts worldwide, likely in an effort to gain access to sensitive information.”
Multiple APT actors reportedly linked to Iran were also mentioned in Proofpoint’s research. Two groups referred to as Charming Kitten and Tortoiseshell are accused of regularly posing as journalists from prominent outlets such as Fox News and the Guardian, among others. Most of the attacks appeared to center around the harvesting of login credentials.
“Targeting journalists and media organizations is not novel,” Proofpoint writes in closing. “APT actors, regardless of their state affiliation, have and will likely always have a mandate to target journalists and media organizations and will use associated personas to further their objectives and collection priorities.”
Proofpoint is warning journalists, especially those that cover foreign policy in relation to countries such as China or North Korea, to be mindful when checking emails or visiting login pages.