Cybersecurity researchers say they have witnessed an “ongoing effort” by nation-state hackers to compromise journalists’ accounts.
In a blog post Thursday, cybersecurity firm Proofpoint detailed the numerous campaigns allegedly being carried out by state-sponsored and state-aligned hacking groups against members of the media.
Dubbed Advanced Persistent Threat (APT) actors, the hacking groups either posed as journalists or were aimed to access information deemed valuable by foreign governments.
“A well-timed, successful attack on a journalist’s email account could provide insight into sensitive, emerging stories and source identification,” the blog reads. “A compromised account could be used to spread disinformation or pro-state propaganda, provide disinformation in times of war or pandemic, or influence a politically charged atmosphere.”
The APT actors monitored by Proofpoint are believed to be aligned with the state interests of countries such as China, North Korea, Iran and Turkey. While some journalists targeted them simply for casting a bad light on their countries, others timed their attacks to coincide with important US political events
The most common attack vector was phishing emails aimed at stealing journalists’ email account credentials. Proofpoint states that an APT actor believed to be linked to China, commonly referred to as TA412 or Zirconium, has been involved in numerous reconnaissance phishing campaigns since early last year.
Zirconium is said to often use web beacons, or tracking pixels, in emails to determine if an account is active while also obtaining information about the target’s web browser and operating system. Overall, Proofpoint says it experienced five different campaigns between January and February 2021. The cybersecurity firm also says it noticed a spike in attacks on journalists in Washington, DC, ahead of the Jan. 6 attack on the US Capitol.
APT actors reportedly took action months later in August 2021, shifting their focus to journalists focused on cybersecurity, surveillance and privacy issues related to China. Efforts resumed in February following Russia’s invasion of Ukraine. Other China-affiliated APT actors have been found to send malicious documents to journalists to provide them with malware.
North Korea has also been active in targeting American journalists. APT actors known as Lazarus reportedly carried out investigations against a certain media outlet after it published an article critical of North Korean leader Kim Jong-un. The hackers promoted links to fake job ads in their phishing emails, which, if clicked, would provide APT actors with information about their device, such as their public IP address and operating system, for further exploitation. Journalists’ social media accounts were also targeted.
Proofpoint also pointed the finger at Turkey-aligned APT actors who have been targeting journalists’ social media accounts, particularly Twitter, since the beginning of the year. The attacks are often phishing scams that attempt to steal a user’s credentials. The hackers have even been accused of posing as journalists to target academics and foreign policy experts.
“There is an inherent sense of fascination when being approached by a journalist to discuss a subject. The allure of emphasizing research in the media is often a great motivator to overlook or ignore signs that this opportunity may not be entirely legitimate,” the blog notes. “This social engineering tactic successfully exploits the human desire for recognition and is being used by APT actors seeking to target academics and foreign policy experts worldwide, likely to gain access to sensitive information.”
Several APT actors reportedly linked to Iran were also mentioned in Proofpoint’s research. Two groups dubbed Charming Kitten and Tortoiseshell are accused of regularly posing as journalists for prominent media outlets like Fox News and the Guardian, among other. Most attacks seemed to focus on credential harvesting.
“Targeting journalists and media organizations is not new,” Proofpoint concludes. “APT actors, regardless of state affiliation, have and likely always will have a mandate to reach out to journalists and media organizations, and will use associated personas to further their goals and collection priorities.”
Proofpoint warns journalists, particularly those covering foreign policy related to countries like China or North Korea, to be vigilant when checking email or visiting login pages.
Read more about the Daily Dot’s technical and political coverage
*Initial publication: July 14, 2022 at 6:00 am CDT
Mikael Thalen is a Seattle-based tech and security reporter covering social media, data breaches, hackers and more.
https://www.dailydot.com/debug/proofpoint-journalists-targeted-nation-state-hackers/ Researchers say journalists are being targeted by nation-state hackers in an “ongoing effort”.