A new report from cybersecurity firm Proofpoint details cyber espionage campaigns directed at journalists, conducted by state sponsored hackers from several different nations. The hackers are working independently for their respective countries, but share similarities in their approach and the information they’re after.
The cyber espionage campaigns focus on gaining access to journalist networks by impersonating legitimate members of the profession, usually by phishing an email or social media account. The attackers then hunt for useful geopolitical information and the identity of sources that the journalist and their contacts may be privy to; some are also using the opportunity to spread pro-state propaganda.
State sponsored hackers from four countries actively targeting journalists
The Proofpoint report documents state sponsored hackers from four countries that are actively pursuing journalists: China, Iran, Turkey and North Korea. These cyber espionage campaigns have been observed since early 2021, and Proofpoint believes that this sort of activity will continue indefinitely as the hackers have seen some success in stealing secrets and spreading propaganda.
The state sponsored hackers are focusing on journalists in other countries, primarily the United States. Their usual entry point is to attack a known journalist account with malware, with email accounts the heavily preferred target.
While the general focus and tactics are the same, each of the state sponsored hackers has their own geopolitical interests. China has multiple advanced persistent threat (APT) groups working in this way, including the infamous “Zirconium” team that has been linked to numerous high-profile attacks and is believed to be in possession of stolen NSA hacking tools. They are also believed to have the strongest specific focus on US journalists, with five campaigns identified in the early months of 2021 and a renewed focus on reporters covering China and Russia in late 2021 moving into 2022.
Zirconium likes to use “web beacons” to probe potential victims, first sending them emails with an embedded invisible pixel that tells the sender if the account is active and the email has been clicked on, as well as returning any externally visible IP addresses. This can also help to tip the attacker off to what types of emails the recipient might open from unfamiliar sources, and if they have remote image loading blocked in their account. Zirconium appears to like to open with current news articles that appear to be sent by a colleague.
Another Chinese group of state sponsored hackers, TA459, joined in the cyber espionage campaign after the start of the Ukraine invasion with a more blunt and direct approach. This group simply sends a malicious RTF document that deploys Chinoxy malware if it is opened. This group has also had more of a focus outside of the US, making use of compromised Pakistani government email addresses to send malware and targeting journalists that cover Afghanistan.
Cyber espionage campaigns go after high-profile news outlets, with some success
North Korean state sponsored hackers have also shown an interest in US targets, but are ranging far and wide in campaigns that involve not just cyber espionage but attempts at profit-making for the isolated government.
These actions also involve a well-known and long-tenured group of state sponsored hackers, Lazarus, famous for the WannaCry ransomware outbreak and for robbing the Bank of Bangladesh of $1 billion (among numerous other exploits). The group was observed in early 2022 targeting a US media outlet with a seemingly innocuous message sharing an article about leader Kim Jong Un’s negative reputation.
In Turkey, a group of state sponsored hackers referred to as “TA482” has issued broad, seemingly “spray and pray” attacks on all sorts of journalists and outlets covering all sorts of topics. These hackers focus on stealing Twitter credentials by sending a spoofed email appearing to come from the app, asking the user to change their password for the sake of security. Of course, if the embedded password link is followed, the victim lands on a spoofed Twitter login page that harvests their credentials.
Iran’s state sponsored hackers are the ones most likely to pose as fellow journalists to accomplish cyber espionage aims. The “Charming Kitten” group, another well-known government-backed group with numerous previous exploits under its belt, does research on specific journalist targets and approaches them with spearphishing emails tailored to their current work. The campaign observed by Proofpoint has occurred since at least early 2022 and has seen the hackers pose as reporters with the UK’s Metro news outlet.
All of the state sponsored hackers will rifle through compromised accounts looking for intelligence, particularly the identity of anonymous sources and any non-public information the journalist may have access to. But some also use the account to attempt to spread malware deeper into the news organization; researchers note that this is likely not just a cyber espionage play, but also involves the potential of using compromised networks to spread state propaganda at timely moments (such as during a war or if pandemic safety measures are taken again).
Chris Clements, VP of Solutions Architecture for Cerberus Sentinel, expands on how this sort of access might be weaponized by nation-state actors, particularly the quiet gathering of social media account credentials:
“Social engineering lures that utilize politically charged headlines can serve dual purposes for geopolitical adversaries. First, their subject matter often elicits an emotionally charged negative reaction to their recipients that can make them more likely to take actions exhorted in the phishing emails. It has been reliably shown by social media platforms that such content reliably drives the highest levels of engagement, so it’s no surprise that attackers will leverage these lures to ensnare their victims as well. The often-divisive subject matter also furthers secondary goals of weakening adversarial nations by driving social discord. A geopolitical adversary preoccupied with managing social unrest is more vulnerable to other political attacks and less able to mobilize effective responses.”