View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 15, 2022updated 28 Jul 2022 9:50am

State-sponsored hackers are launching ‘sustained’ attacks on journalists

Reporters and other media staff have become targets for cybercriminals, with attacks ramping up in the last 18 months.

By Claudia Glover

State-sponsored hackers from China, North Korea, Iran and Turkey are targeting journalists to glean sensitive information from their messages, new research says. There has been a “sustained effort” to infiltrate reporters’ messages in recent years, according to the report from security company ProofPoint, using sophisticated phishing tactics and impersonation techniques.

Journalists are being targeted by cybercriminals. (Photo by Paul Bradbury/iStock)

Cyberattacks on journalists: China and North Korea launch offensives

Espionage attacks on journalists have increased since the start of 2021, ProofPoint says, particularly at times of political importance such as during the US presidential elections. This focus is “unlikely to ever wane,” states the report, “making it important for journalists to protect themselves, their sources and the integrity of their information, by ensuring they protect themselves online.”

China’s main aim has been gaining information from American journalists, with an APT group known as TA412 leading the charge. “The campaigns by TA412 and their ilk evolved over the course of months, adjusting lures to best fit the US political environment and switching to target US-based journalists focussed on different areas of interest to the Chinese government,” the report says.

This particular group would send malicious emails masquerading as press releases or information about politically contentious US stories, such as the January 2021 attack on the Capitol Building. Hidden in the messages would be “web beacons”, hyperlinked non-visible objects within the body of an email (often an image file of a single pixel in size) that, when enabled, allows the hackers to gather information from an infected system to launch follow-up attacks.

This year researchers have noticed an uptick in Chinese threat actors targeting journalists, indicating a desire to gather information on the Russian invasion of Ukraine.

In February, Tech Monitor reported on a cyberattack on journalists at News Corp, publisher of The Times and The Wall Street Journal, which saw information stolen from the company’s reporters. News Corp said in an SEC filing that it had been “the target of persistent cyberattack activity”. Mandiant, the security company brought in to investigate the breach, said it believed the incident to be the work of Chinese hackers “involved in espionage activities to collect intelligence to benefit China’s interests”.

North Korean state-backed hacking group Lazarus attacked an unnamed US-based media company this year after it published an article deemed critical of Kim Jong Un, the report says. Using a bogus job offer, the gang enticed journalists to interact with the malicious link and from then would track the journalist while gathering information from their device. It is likely that once successful, Lazarus would continue to send emails to endeavour to gain further details.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Hackers stealing Twitter credentials and posing as reporters

Turkish APT actors have mainly used social media to manipulate members of the media into surrendering their credentials, the report says. The group termed TA482 has been seen “regularly engaging in credential harvesting campaigns that target the social media accounts of mostly US-based journalists and media organisations.”

This has mainly taken the form of sending fake Twitter security emails which convince reporters to give up their credentials. ProofPoint says the motivations of this group are unknown, but that they could use the compromised accounts to spread propaganda. It expects to see the number of attacks ramp up ahead of the 2023 Turkish presidential elections.

Iranian hackers have gone as far as to impersonate journalists. “The threat actor uses these personas to engage in benign conversations with targets, which consist mostly of academics and policy experts working on Middle Eastern foreign affairs,” the report says, with the aim of harvesting valuable credentials.

Read more: Chinese hackers are breaching telecoms networks through vulnerable equipment

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.