• United States



CSO Senior Writer

Cyberespionage groups increasingly target journalists and media organizations

News Analysis
Jul 14, 20226 mins
Advanced Persistent Threats

State-affiliated APT groups seek sensitive information and try to learn story sources by targeting journalists' email and social media accounts.

2 man with binoculars data breach research spy
Credit: Getty Images

Since early 2021 researchers have observed multiple attack campaigns by state-sponsored advanced persistent threat (APT) groups aimed at journalists and the media organizations they work for. The attacks targeted their work emails and social media accounts and often followed journalists’ coverage of stories that painted certain regimes in a bad light or were timed to sensitive political events in the U.S.

Journalists have always been an appealing target for spies due to the access they have to sensitive information and the trust that organizations and individuals generally place in them, which is why it’s imperative for members of the media to undergo online security training and be aware of the techniques used by state-linked hackers.

“The media sector and those that work within it can open doors that others cannot,” researchers from Proofpoint said in a new report that documents recent attack campaigns against journalists by APT groups linked to China, North Korea, Iran and Turkey. “A well-timed, successful attack on a journalist’s email account could provide insights into sensitive, budding stories and source identification. A compromised account could be used to spread disinformation or pro-state propaganda, provide disinformation during times of war or pandemic, or be used to influence a politically charged atmosphere.”

From tracking pixels to malware

Due to their highly targeted nature, reconnaissance plays a big role in APT attacks, as hackers need to know as much information about a potential victim as possible to craft believable lures. Often this includes validating someone’s email address and the likelihood of them opening a future malicious message.

Attackers often achieve this by embedding pixel-sized images hosted on web servers they control into benign email messages. These are known as tracking pixels or web beacons and are triggered when an email is read sending back to the attackers the target’s external IP address, user-agent string, which helps them identify their operating system and email client and, more important, validation that the targeted email account is active and the owner reads their emails.

Chinese APT group tracks U.S. journalists

Between January and February 2021, Proofpoint researchers observed a Chinese APT group tracked as TA412 or Zirconium targeting U.S.-based journalists using such reconnaissance emails with web beacons. The emails used recent news headlines as subject and included text copied from legitimate articles. Following the attack on the U.S. Capitol building on January 6, the campaign intensified and focused on Washington DC and White House correspondents.

After several months of break, the same group launched another reconnaissance campaign in August 2021 focused on journalists who covered cybersecurity, surveillance and privacy stories that painted China and the Chinese government in an unfavorable light. Yet another wave of emails directed at journalists happened in February 2022 and based on the email topics, it was focused on those who reported about the EU and U.S. involvement in the War in Ukraine.

While the detected campaigns by TA412 were only focused on reconnaissance, it’s likely that they were followed by attempts to compromise the selected targets with malware either by email or in other ways.

An example of that is an attack campaign targeting journalists launched in April by a different Chinese APT tracked as TA459. That attack came from a possibly compromised Pakistani government email address and had a malicious RTF attachment that deployed a backdoor program called Chinoxy. The target was a media organization reporting on the Russia-Ukraine war, the Proofpoint researchers said.

Another APT group, known as TA404 or Lazarus, that’s affiliated with the North Korean government also launched a reconnaissance campaign in early 2022 against a media organization that wrote a critical story about North Korea and its leader. The benign emails masqueraded as job offerings and included URLs with unique tracking IDs for each recipient.

“While Proofpoint researchers did not observe follow-up emails, considering this threat actor’s proclivity for later sending malware-laden email attachments, it is likely that TA404 would have attempted to send malicious template document attachment or something similar in the future,” the Proofpoint researchers said.

In March, Google TAG documented a similar email campaign launched by North Korean threat actors that led recipients to pages that exploited a vulnerability in Google Chrome. The targets included news media organizations.

Journalists’ social media accounts are also a target

The attacks against journalists are not limited to malware deployment attempts, but also credential phishing as rogue messages posted from the social media accounts of journalists can have a big reach and can be used in disinformation campaigns.

Since early 2022, Proofpoint has been tracking an email campaign by a Turkish APT group. The emails masquerade as alerts from Twitter security and direct recipients to a phishing page for Twitter credentials.

“Ongoing campaigns have narrowed in on Twitter credentials of any individuals that write for media publications,” the researchers said. “This includes journalists from well-known news outlets to those writing for an academic institution and everything in-between.”

It’s not clear what these attackers plan to do with the Twitter credentials. They could be used to target the social media contacts of journalists, read their private messages, or deface their accounts.

Impersonating journalists to extract information from victims or direct them to phishing websites is a technique long used by several Iranian APT groups. Proofpoint has tracked campaigns by Iran-linked TA453, also known as Charming Kitten; TA456, also known as Tortoiseshell; and TA457 that have impersonated journalists or media organizations to target academics and policy experts, public relations personnel for companies located in the U.S., Israel and Saudi Arabia, and various other individuals.

“The varied approaches by APT actors — using web beacons for reconnaissance, credential harvesting, and sending malware to gain a foothold in a recipient’s network — means those operating in the media space need to stay vigilant,” the Proofpoint researchers said. “Being aware of the broad attack surface — all the varied online platforms used for sharing information and news — an APT actor can leverage is also key to preventing oneself from becoming a victim. And ultimately practicing caution and verifying the identity or source of an email can halt an APT attack in its nascent stage.”