Threat actors from China, North Korea, Turkey, and Iran have deployed a variety of techniques so far, such as phishing attacks to conduct reconnaissance, and using malware to penetrate their targets’ networks, Proofpoint said. However, gathering intelligence is not the sole aim of such campaigns. “Some campaigns have targeted the media for a competitive intelligence edge while others have targeted journalists immediately following their coverage painting a regime in a poor light or as a means to spread disinformation or propaganda,” Proofpoint’s blog post reads. Furthermore, some of the attacks came right before major political events. Proofpoint found a campaign focusing on Washington DC and White House correspondents in the days leading up to the January 6, 2021 violence at the U.S. Capitol Building.
Research Finds that Journalists’ Email Accounts are Biggest Targets
Proofpoint points out that journalists’ email addresses are major targets for advanced persistent threat (APT) actors. This is because journalists communicate with a number of sources from all across the political spectrum. By the nature of the profession, journalists are more also likely to interact with emails from unknown sources than the average person — putting them at a higher risk of falling for a phishing attack. Since early 2021, Chinese APT actor TA142 has actively targeted U.S.-based journalists with malicious phishing emails, Proofpoint said. The actor is known to use web beacons, which are tracking tools that enable an actor to carry out reconnaissance activities. Proofpoint even noticed that TA142 changed its campaign over the course of time to suit the U.S. political climate. In August 2021, the actor began to target journalists who had written about social media privacy issues and disinformation campaigns in China. In February, the campaign targeted journalists and media houses reporting on the U.S. and EU’s engagement in the conflict in Ukraine. North Korean hacking group Lazarus also targeted an American media organization with a job-opportunity-themed phishing attack. These phishing emails contained URLs to fake job postings, even containing legitimate-looking landing pages. “If a victim interacted with the URL, which contained a unique target ID, the server resolving the domain would have received confirmation that the email was delivered, and the intended target had interacted with it,” Proofpoint said. “This request also provides identifying information about the computer, or device, allowing the host to keep track of the intended target.”
Targeting Social Media Accounts, Impersonating Journalists
Proofpoint stated that APT actors also actively engage in credential harvesting attacks in a bid to gain access to journalists’ social media accounts. Turkish actor TA482 has sent phishing emails to targeted journalists, impersonating Twitter’s security team. If a target clicks on the malicious links, they are taken to a credential harvesting site. This looks like a Twitter Reset Password landing page. Researchers also pointed out that certain APT actors impersonate foreign reporters and reach out to U.S.-based journalists, or academics. APT TA453, or “charming kitten,” is an Iranian hacking group that “routinely masquerades as journalists” and tries to engage in conversations with American academics and policy experts engaged in Middle East affairs.
Foiling Phishing Schemes and Attacks
It’s not known just how successful the malicious campaign has been, as Proofpoint managed to block most of the emails that it found. The cybersecurity firm has urged journalists and media houses to stay vigilant and be aware of these types of attacks. Targeting the media is not new, and is unlikely to slow down any time soon. Members of the media are also easier targets for sensitive information as compared to government employees or entities. The company added that journalists should conduct a self-assessment to determine their level of personal risk. Those reporting on China, North Korea, or other regime-associated threat actors are likely to come under their radar. The best way to stay secure is to have a working knowledge of potential threats. If you found this story interesting, we recommend checking out our easy-to-read explainer on phishing. It lays out the common types of attacks prevalent today and provides useful tips to keep yourself safe.