Cyber espionage campaigns by state-sponsored hackers impersonate journalists and attempt to unmask anonymous sources
A new report from cybersecurity firm Proofpoint details cyber espionage campaigns directed against journalists, carried out by state-sponsored hackers from several different countries. The hackers work independently for their respective countries, but share similarities in their approach and the information they seek.
Cyber espionage campaigns focus on gaining access to journalists’ networks by impersonating legitimate members of the profession, usually by phishing an email or social media account. The attackers then seek useful geopolitical information and the identity of the sources of which the journalist and his contacts may have knowledge; some also take the opportunity to spread pro-state propaganda.
State-sponsored hackers from four countries actively targeting journalists
The Proofpoint report documents state-sponsored hackers from four countries actively pursuing journalists: China, Iran, Turkey and North Korea. These cyber espionage campaigns have been observed since early 2021, and Proofpoint believes this type of activity will continue indefinitely as hackers have had some success stealing secrets and spreading propaganda.
State-sponsored hackers focus on journalists from other countries, primarily the United States. Their usual entry point is to attack a known journalist account with malware, with email accounts being the prime target.
Although the overall goal and tactics are the same, each of the state-sponsored hackers has their own geopolitical interests. China has several Advanced Persistent Threat (APT) groups working in this way, including the infamous “Zirconium” team which has been linked to numerous high-profile attacks and is believed to be in possession of stolen NSA hacking tools. They are also thought to focus most on American journalists, with five campaigns identified in the first months of 2021 and a surge of interest in journalists covering China and Russia in late 2021 and into 2022.
Zirconium likes to use “web beacons” to probe potential victims, first sending them emails with an embedded pixel tag that tells the sender if the account is active and the email was clicked. , as well as externally visible IP addresses. It can also help tell the attacker what types of emails the recipient might open from unknown sources and whether they have blocked remote image loading into their account. Zirconium seems to like opening up with topical articles that appear to be sent by a colleague.
Another Chinese state-sponsored hacker group, TA459, joined the cyber espionage campaign after the invasion of Ukraine began with a more brutal and direct approach. This group simply sends a malicious RTF document that deploys the Chinoxy malware if opened. This group has also become more concentrated outside the United States, using compromised Pakistani government email addresses to send malware and targeting journalists who cover Afghanistan.
Cyber espionage campaigns attack leading news outlets, with some success
State-sponsored North Korean hackers have also shown an interest in US targets, but they stretch very far in campaigns that involve not only cyber espionage but also attempts to profit from the isolated government.
These actions also involve a well-known and long-standing group of state-sponsored hackers, Lazarus, notorious for the WannaCry ransomware outbreak and for stealing $1 billion from Bangladesh Bank (among many other exploits ). The group was observed in early 2022 targeting a US media outlet with a seemingly innocuous post sharing an article about leader Kim Jong Un’s negative reputation.
In Turkey, a state-sponsored hacking group called “TA482” has launched widespread, seemingly “spray and pray” attacks against all manner of journalists and media outlets covering all manner of topics. These hackers focus on stealing Twitter credentials by sending a spoofed email that appears to be from the app, asking the user to change their password for security reasons. Of course, if the embedded password link is followed, the victim lands on a spoofed Twitter login page that harvests their credentials.
Iranian state-sponsored hackers are most likely to impersonate fellow journalists to achieve cyber espionage goals. The Charming Kitten, another well-known government-backed group with many previous exploits under their belt, researches specific journalist targets and approaches them with spear-phishing emails tailored to their current work. The campaign observed by Proofpoint has taken place since at least early 2022 and has seen the hackers impersonating journalists from the British newspaper Metro.
All state-sponsored hackers will search compromised accounts for information, especially the identities of anonymous sources and any non-public information the journalist may have access to. But some also use the account to try to spread malware deeper into the news organization; the researchers note that this is likely not just a game of cyber espionage, but also involves the possibility of using compromised networks to spread state propaganda at opportune times (such as during a war or if pandemic safety measures are taken again).
Chris Clements, Vice President of Solutions Architecture for Cerberus Sentinel, discusses how this type of access could be weaponized by nation-state actors, particularly the covert harvesting of media account credentials. social:
“Social engineering lures that use politically charged headlines can serve two purposes for geopolitical adversaries. First, their subject matter often elicits an emotionally charged negative reaction from their recipients, which can make them more likely to take measures urged in phishing emails.This content has been reliably shown by social media platforms to reliably drive the highest levels of engagement, so it’s no surprise that attackers exploit these decoys to ensnare their victims as well.The often divisive subject also pursues secondary goals of weakening opposing nations by causing social discord.A geopolitical adversary preoccupied with managing social unrest is more vulnerable to further attacks political and less able to mobilize effective responses.