Journalists and media organizations have continued to be a target for state-aligned actors, according to researchers monitoring the actions of advanced persistent (APT) threat groups with origins in China, North Korea, Iran, and Turkey.
Due to their exclusive access to information that is not generally available, the adversaries are either disguising themselves as these targets or assaulting them in order to further their cyberespionage operations.
Recently Conducted Targeting
In 2021 and 2022, Proofpoint analysts monitored these actions and wrote a report about multiple APT organizations that impersonated or targeted journalists.
Since the beginning of 2021, it has been established that the threat actor with ties to China known as “Zirconium” (TA412) has targeted American journalists with emails that had trackers that sent alerts when communications were opened.
By using this straightforward technique, the threat actor was also able to collect the target’s public IP address, which they could use to learn further details about the victim’s location and their ISP (ISP).
By February 2022, Zirconium had resumed its operations against journalists using the same tactics, with a particular emphasis on those who were covering the Russia-Ukraine conflict.
Proofpoint discovered another Chinese APT organization known as TA459 in April 2022 that was targeting journalists with RTF files that, when viewed, released a copy of the Chinoxy malware. This gang specifically targeted journalists covering Afghan foreign affairs.
In the spring of 2022, North Korean hackers from the TA404 group were also seen committing attacks on journalists by luring them with false job advertising.
Finally, Turkish threat actors identified as TA482 planned campaigns to harvest credentials from journalists’ social media accounts.
Posing as Journalists
Not all hackers, meanwhile, are motivated to work hard to compromise journalist accounts. Instead, some use the shortcut of adopting a reporter character to speak with their targets directly.
This strategy has mostly been used by Iranian actors, such as TA453 (also known as Charming Kitten), who sent emails to academics and Middle East policy specialists while pretending to be reporters.
Another illustration is TA456 (also known as Tortoiseshell), which sends emails pretending to be newsletters from the Guardian or Fox News in the hopes that the victim may unwittingly download malware.
Finally, Proofpoint draws attention to the activities of Iranian hackers TA457, who initiated media-targeting efforts every two to three weeks between September 2021 and March 2022.
APTs are anticipated to continue phishing scams, malware droppers, and different social engineering techniques against journalists.
Unfortunately, because media organizations and the people who work for them are accessible to the public, they are vulnerable to social engineering attacks that could jeopardize their access to confidential data.