Proofpoint: Hackers Targeting Journalists
New threat intelligence from Proofpoint‘s cybersecurity researchers shows how various nation/state-backed hacking groups have been targeting journalists to conduct espionage, spread malware and infiltrate the media.
Global publications targeted include The Guardian and Fox News, along with a reconnaissance campaign on Washington, D.C., media days ahead of the Jan. 6th insurrection. A well-timed, successful attack on a journalist’s email account could provide insights into sensitive, budding stories and source identification.
Other Proofpoint findings include:
- Advanced persistent threat (APT) groups aligned with China, North Korea, Iran and Turkey have been observed targeting journalists’ work emails and social media accounts to gain sensitive information and get further access into their organizations.
- Various Iranian-aligned threat actors such as Charming Kitten (TA453) and Tortoiseshell (TA456) have also been observed posing as journalists from publications such as The Guardian, The Sun, Fox News and The Metro. The attacks targeted academics and foreign policy experts worldwide in an effort to gain access to sensitive information.
- Chinese-aligned group TA412 was observed conducting reconnaissance just days before the Jan. 6th attack on the U.S. Capitol building. Proofpoint researchers observed a focus on Washington, D.C., and White House correspondents during this time. This same group also resumed targeting in early 2022 with focus on reporters covering U.S. and European engagement in the Russia-Ukraine war.
- North Korea’s Lazarus Group (TA404) also targeted U.S. media organizations with job opportunity-themed phishing. This attack occurred after the organization published an article critical of North Korean leader Kim Jong Un, a well-known motivator for action by North Korea-aligned APT actors.
- Threat actors aligned with the Turkish state have focused their efforts on gaining access to journalists’ social media accounts, with the likely aim of spreading pro-Erdogan propaganda and targeting further contacts.
Sherrod DeGrippo is vice president of threat research and detection at Proofpoint.
“Targeting journalists and media organizations is not novel,” she said. “These individuals and organizations suffer from many of the same threats as everyone else. The varied approaches by APT actors — using web beacons for reconnaissance, credential harvesting and sending malware to gain a foothold in a recipient’s network — means those operating in the media space need to stay vigilant. Assessing one’s personal level of risk can give an individual a good sense of the odds they will end up as a target. Such as, if you report on China or North Korea or associated threat actors, you may become part of their collection requirements in the future. Being aware of the broad attack surface — all the varied online platforms used for sharing information and news — an APT actor can leverage is also key to preventing oneself from becoming a victim. And ultimately practicing caution and verifying the identity or source of an email can halt an APT attack in its nascent stage.”
The focus on media by APTs is unlikely to ever wane, DeGrippo said.
“Journalists and media organizations are well sought-after targets because of the unique access and information they can provide,” she said.
