Chinese hackers targeted US political journalists just before Jan. 6 attack, researchers say

Written by AJ Vicens

Hackers linked to the Chinese government have engaged in numerous phishing campaigns targeting US-based journalists since the start of 2021, with operations focused on political and national security journalists and White House correspondents. in the days leading up to the Jan. 6 attack on the Capitol, researchers said. Thursday.

Previously unreported efforts are just a few examples of the digital risks journalists and media companies face from an array of well-resourced, state-backed hackers who do everything from collecting information to the spread of malware.

Researchers from cybersecurity firm Proofpoint shared the details Thursday as part of a report examining such operations by China, Iran, North Korea and Turkey. The attacks targeted both journalists and hackers posing as journalists to target others, the researchers said.

Journalists and media organizations face the same cyber threats as any other sector, the researchers noted. But given the nature of journalists’ work, they are particularly attractive targets for government hackers.

“The media industry and those who work in it can open doors that others cannot,” the researchers wrote. “A successful and timely attack on a journalist’s email account could provide insight into sensitive and emerging stories and source identification.”

And impersonating journalists allows hackers to “spread disinformation or pro-state propaganda, provide disinformation in times of war or pandemic, or be used to influence a politically charged atmosphere” , the researchers added.

Attacks on journalists’ work email accounts are the most common means for such operations, given that journalists frequently communicate with strangers, the researchers said.

Overall, the data presented in Thursday’s report suggests that “some campaigns have targeted
media for competitive advantage while others immediately targeted journalists
following their coverage painting a diet in a bad light or as a way to spread
misinformation or propaganda,” the researchers wrote.

Cyberattacks against journalists and the media are not new. In 2013, The New York Times reported that Chinese hackers had consistently attacked the newspaper over several months in connection with reporting on then-Chinese Premier Wen Jiabao. In February this year, the Wall Street Journal reported that hackers likely associated with China had hacked into and viewed emails and other documents from journalists and other employees as part of an effort to collect information.

And in November, the Justice Department alleged that two Iranian hackers had gained access to a media company’s computer network in an effort to alter the content of news outlets’ websites as part of a massive hacking operation. election interference.


Chinese hackers associated with what are thought to be two separate campaigns targeted US-based journalists during 2021 and into 2022, the researchers said. The first group, followed by Proofpoint as TA412 but by Microsoft as Zirconium, used malicious emails with web beacons to harvest information from the targets’ systems for several months in early 2021.

The researchers identified five campaigns, “including those covering US politics and national security at events that have garnered international attention.” The researchers recorded “a very abrupt change in the targeting of reconnaissance phishing” in the days immediately preceding the January 6 attacks on the U.S. Capitol, the researchers said, with “a focus on Washington D.C. and White House correspondents during this time.

Emails sent to targets used subject lines taken from recent articles, while the body of the email duplicates text from those articles. The body also included a PNG image file connected to a hacker-controlled domain, campaign ID, victim ID, campaign date, and image file information.

An email associated with TA412 that contained a tag, according to Proofpoint.

In August, after a months-long hiatus, the same group resumed its attacks, but expanded the target group to include “those working on cybersecurity, surveillance, and privacy issues with a focus on China.” . There was another pause, then the attacks resumed in February 2022, the researchers said.

A separate Chinese group, tracked by Proofpoint as TA459, targeted victims with a malicious document that, if opened, installed and ran the Chinoxy malware. The malware gives an attacker a backdoor to a victim’s computer and allows them to maintain persistence, the researchers said.

North Korea

A North Korean campaign tracked by Proofpoint as TA404, known to others as Lazarus, “in early 2022 targeted a US-based media organization with a phishing scam on the subject of business opportunities. job,” the researchers said, after the unnamed organization published a story critical of North Korea. leader Kim Jong Un.

Proofpoint researchers note that they have not seen follow-up emails associated with this campaign, but noted that Google’s Threat Analysis Group released findings in March on a similar North Korean operation. which shared the same indicators of compromise.


A group that Proofpoint tracks as TA482 and partners with the Turkish government “regularly engages in credential harvesting campaigns” aimed at taking over social media accounts associated with journalists and journalists. primarily US-based media organizations, the researchers said.

Twitter credentials for journalists “from well-known news outlets to those writing for an academic institution” were targeted as recently as June, researchers said, with fake Twitter security login pages .

Twitter-themed credential collection page associated with TA482 captured by Proofpoint.


An Iranian group the researchers call TA453, also known as the Charming Kitten, “regularly impersonates journalists around the world,” the researchers noted. Hackers use personas to engage targets in benign conversations before deploying credential harvesting malware.

A separate Iranian group, TA456 or Tortoiseshell, also acts as media organizations and regularly sends newsletters purporting to be news from across the political spectrum, including Fox News and The Guardian. The activity likely complements previous campaigns targeting defense contractors, the researchers said, which Proofpoint reported in July 2021.

Examples of newsletter themes observed by Proofpoint.

And a third Iranian group, tracked by Proofpoint as TA457, poses as “iNews Reporter to deliver malware to corporate PR staff in the United States, Israel and Saudi Arabia,” they said. Researchers. A March 2022 effort sent an email with the subject “Iran Cyber ​​War”, while others included Iran, Russia, drones, war crimes, “secret weapons” and Moreover.

Proofpoint identified campaigns from this group every two to three weeks between September 2021 and March 2022, the researchers said.

“The varied approaches of APT actors – the use of web beacons for recognition, credentials
harvesting and sending malware to gain a foothold in a recipient’s network – means those
operating in the media space must remain vigilant,” the researchers concluded.

Journalists and media organizations reporting on China or North Korea “could be part of their collection requirements in the future”, they said.

Comments are closed.