State-sponsored hackers from China, North Korea, Iran and Turkey are targeting journalists to glean sensitive information from their messages, new research says. There has been a “sustained effort” to infiltrate reporters’ messages in recent years, according to the report from security company ProofPoint, using sophisticated phishing tactics and impersonation techniques.
Cyberattacks on journalists: China and North Korea launch offensives
Espionage attacks on journalists have increased since the start of 2021, ProofPoint says, particularly at times of political importance such as during the US presidential elections. This focus is “unlikely to ever wane,” states the report, “making it important for journalists to protect themselves, their sources and the integrity of their information, by ensuring they protect themselves online.”
China’s main aim has been gaining information from American journalists, with an APT group known as TA412 leading the charge. “The campaigns by TA412 and their ilk evolved over the course of months, adjusting lures to best fit the US political environment and switching to target US-based journalists focussed on different areas of interest to the Chinese government,” the report says.
This particular group would send malicious emails masquerading as press releases or information about politically contentious US stories, such as the January 2021 attack on the Capitol Building. Hidden in the messages would be “web beacons”, hyperlinked non-visible objects within the body of an email (often an image file of a single pixel in size) that, when enabled, allows the hackers to gather information from an infected system to launch follow-up attacks.
This year researchers have noticed an uptick in Chinese threat actors targeting journalists, indicating a desire to gather information on the Russian invasion of Ukraine.
In February, Tech Monitor reported on a cyberattack on journalists at News Corp, publisher of The Times and The Wall Street Journal, which saw information stolen from the company’s reporters. News Corp said in an SEC filing that it had been “the target of persistent cyberattack activity”. Mandiant, the security company brought in to investigate the breach, said it believed the incident to be the work of Chinese hackers “involved in espionage activities to collect intelligence to benefit China’s interests”.
North Korean state-backed hacking group Lazarus attacked an unnamed US-based media company this year after it published an article deemed critical of Kim Jong Un, the report says. Using a bogus job offer, the gang enticed journalists to interact with the malicious link and from then would track the journalist while gathering information from their device. It is likely that once successful, Lazarus would continue to send emails to endeavour to gain further details.
Hackers stealing Twitter credentials and posing as reporters
Turkish APT actors have mainly used social media to manipulate members of the media into surrendering their credentials, the report says. The group termed TA482 has been seen “regularly engaging in credential harvesting campaigns that target the social media accounts of mostly US-based journalists and media organisations.”
This has mainly taken the form of sending fake Twitter security emails which convince reporters to give up their credentials. ProofPoint says the motivations of this group are unknown, but that they could use the compromised accounts to spread propaganda. It expects to see the number of attacks ramp up ahead of the 2023 Turkish presidential elections.
Iranian hackers have gone as far as to impersonate journalists. “The threat actor uses these personas to engage in benign conversations with targets, which consist mostly of academics and policy experts working on Middle Eastern foreign affairs,” the report says, with the aim of harvesting valuable credentials.