Researchers following the activities of advanced persistent (APT) threat groups originating from China, North Korea, Iran, and Turkey say that journalists and media organizations have remained a constant target for state-aligned actors.
The adversaries are either masquerading or attacking these targets because they have unique access to non-public information that could help expand a cyberespionage operation.
Recent targeting activity
Proofpoint analysts have been following these activities from 2021 and into 2022 and published a report about several APT groups impersonating or targeting journalists.
The China-linked threat actor known as ‘Zirconium’ (TA412) has been confirmed to target American journalists since early 2021 with emails containing trackers that alerted when messages were accessed.
This simple trick also allowed the threat actor to obtain the target’s public IP address from which they could gather more information such as location of the victim and the internet service provider (ISP).
By February 2022, Zirconium resumed campaigns targeting journalists with the same tactics, focusing mainly on those reporting about the Russia-Ukraine war.
In April 2022, Proofpoint observed another Chinese APT group tracked as TA459 targeting reporters with RTF files that dropped a copy of the Chinoxy malware when opened. This group targeted media interested in foreign policy in Afghanistan.
North Korean hackers of the TA404 group were also spotted targeting media personnel during the spring of 2022, using fake job postings as lures.
Finally, Turkish threat actors tracked as TA482 orchestrated credential harvesting campaigns that attempted to steal journalists’ social media accounts.
Impersonating journalists
However, not all hackers care to put in the effort to compromise journalist accounts. Instead, some cut corners and go straight to assuming reporter personas to reach out to their targets directly.
Proofpoint has seen this tactic mainly from Iranian actors like TA453 (a.k.a. Charming Kitten), who sent emails to academics and Middle East policy experts posing as reporters.
Another example is TA456 (aka Tortoiseshell), that also masquerades its emails as newsletters from the Guardian or Fox news, hoping for successful malware delivery to the target.
Finally, Proofpoint highlights the activity of Iranian hackers TA457, who, between September 2021 and March 2022, launched media-targeting campaigns every two to three weeks.
Unfortunately, media organizations and their employees are open to the public and could become victims of social engineering that could lead to compromising their access to sensitive information.