How hostile government APTs target journalists for cyber intrusions

The past 18 months have seen a series of sustained and ongoing cyber campaigns by state-aligned threat actors targeting journalists and media organisations around the world, which show no sign of letting up, according to security firm Proofpoint.

The firm’s research team today (14 July) published new analysis revealing how advanced persistent threat (APT) groups with links to China, Iran, North Korea, Russia and Turkey have been both targeting and posing as journalists to advance their goals.

While the media sector is vulnerable to exactly the same cyber threats as any other – ransomware attacks, and so on – APT groups target it for slightly different purposes, which could have far-reaching impacts on the lives of millions, making it extremely important for media organisations and journalists to protect themselves, their sources, and the integrity of the information they hold.

The sector is particularly valued by state-backed APT actors for several reasons, chiefly because journalists, if compromised, can provide access and information that could prove highly valuable.

Most commonly, said Proofpoint, cyber attacks on journalists are used for espionage or to gain insight into the inner workings of governments or organisations of interest to the attackers.

A well-timed and successful attack on a journalist’s email account could also provide data on political stories that might be damaging to the APT’s paymasters, or enable them to identify and expose activists, political dissidents or whistleblowers.

Compromised accounts can also be used to spread disinformation or propaganda on stories that are potentially damaging to the regime, such as China’s persecution of its Muslim minority in Xinjiang or its abrogation of its commitments to democracy in Hong Kong.

“In an era of digital dependency, the media, like the rest of us, is vulnerable to a variety of cyber threats,” said Sherrod DeGrippo, Proofpoint’s vice-president of threat research and detection.

“Some of the most potentially impactful are those stemming from APT actors. From reconnaissance activity prior to the 6 January 2021 riot to credential harvesting and delivering malware, Proofpoint is disclosing for the first time some specific APT activity targeting or posing as members of the media.”

Proofpoint’s researchers focused on the activities of a handful of APT actors linked to the regimes in China, North Korea, Iran and Turkey.

Its report reveals how China-backed TA412 (aka Zirconium) APT targeted US-based journalists using malicious emails containing web beacons/tracking pixels – hyperlinked non-visible objects in the body of an email which, when enabled, attempt to retrieve a benign image file from an actor-controlled server.

This campaign was probably intended to validate that their targeted email accounts are active and to gather information about the recipients’ network environments, such as externally visible IP addresses, user-agent strings and email addresses.

The nature of this campaign shifted over its duration, with lures constantly changing to fit the current political environment in the US, while TA412 also switched up its list of targets depending on what the Chinese government was interested in at the time.

Most notably, between January and February 2021, TA412 focused on journalists covering US politics and national security.

A very abrupt shift in targeting took place immediately before the 6 January 2021 insurrection that saw a pro-Trump mob storm the Capitol in Washington DC in an attempt to halt the certification of Joe Biden and change the result of the 2020 election, when TA412 started to show a particular interest in Washington and White House correspondents specifically, using subject lines pulled from relevant news articles as lures.

Meanwhile, the Proofpoint team observed multiple Iran-aligned APTs using journalists and newspapers as pretexts to surveil targets and attempt to steal their credentials. Probably the most active is TA453 (aka Charming Kitten), which is thought to be aligned with the intelligence operation of Iran’s Islamic Revolutionary Guard Corps.

TA453 was observed masquerading as journalists from all over the world to engage in ostensibly benign conversations with its targets, including academics and experts in Middle Eastern affairs. These journalist personas, and their targets, were well researched to increase the likelihood that their approaches, flattery and deception would be believed.

During their conversation with the fake journalist, the target would typically receive a benign PDF file, usually delivered from a legitimate file-hosting service, that contained a link to a URL shortener and IP tracker, and redirected the target to a credential harvesting domain controlled by TA453.

A second Iranian actor, TA456 (aka Tortoiseshell) was also observed masquerading as multiple news organisations including Fox News and the Guardian, to spread web beacons, similar to the Chinese group, probably to conduct reconnaissance before attempting to deliver malware, while a third operation, tracked as TA457, posed as an “iNews Reporter” to target internal public relations staffers at companies in Israel, Saudi Arabia and the US, using the subject line “Iran Cyber War” as a lure. This particular campaign was spotted by Proofpoint when TA457 targeted a number of its customers.