Since early 2021, researchers have tracked a “sustained effort” by several APT groups - including ones from China and North Korea - attempting to target U.S. journalists in order to access sensitive information about their sources, which may include high-profile companies or governments.
The targeting of journalists by APTs for espionage purposes is not new, as those working in the media sector can have unique access to and information about various sources. However, the observed APT attacks on journalists over the past year are particularly notable because they appear to have been well-timed with sensitive U.S. political events, said researchers with Proofpoint.
While the campaigns started last year, many are still ongoing. The APT actors used various approaches to gain a foothold in target networks, including the use of web beacons, credential harvesting and malware. They have also targeted journalists’ work emails to perform reconnaissance with the end goal of scoping out sensitive information.
“From intentions to gather sensitive information to attempts to manipulate public perceptions, the knowledge and access that a journalist or news outlet can provide is unique in the public space,” said researchers with Proofpoint in a Thursday analysis. “Targeting the media sector also lowers the risk of failure or discovery to an APT actor than going after other, more hardened targets of interest, such as government entities.”
One APT actor targeting journalists with numerous reconnaissance phishing campaigns is TA412, also known as Zirconium, a known actor aligned with Chinese state interests. Researchers first observed TA412 targeting U.S. journalists in five campaigns between January and February 2021, which included a “very abrupt shift” in targeting of phishing attacks in the days preceding the U.S. Capitol Building attack on Jan. 6, 2021.
“Proofpoint researchers observed a focus on Washington DC and White House correspondents during this time,” said researchers. “The malicious emails utilized subject lines pulled from recent US news articles, such as ‘Jobless Benefits Run Out as Trump Resists Signing Relief Bill,’ ‘US issues Russia threat to China,’ and ‘Trump Call to Georgia Official Might Violate State and Federal Law.’”
The phishing attackers used web beacons, a tactic previously leveraged by TA412 since at least 2016. The web beacons, which embed hyperlinked objects within the email that attempt to retrieve benign image files from actor-controlled servers, can provide attackers with valuable reconnaissance information for the next stage of their attack, such as confirmation of working and active email addresses, user-agent strings and externally visible IP addresses.
“Targeting the media sector also lowers the risk of failure or discovery to an APT actor than going after other, more hardened targets of interest, such as government entities.”
After this spate of campaigns, the actor then paused its activity until Feb. 9, 2022, when researchers identified a renewed surge of campaigns that occurred over a period of ten days, which indicated a desire to collect data on U.S.-based media organizations reporting on U.S. and European engagement in the Russia-Ukraine war.
The North Korea-aligned TA404, also known as Lazarus, was also seen targeting an unnamed U.S.-based media organization in early 2022 with phishing emails that leveraged job opportunity lures, after the organization published an article critical of North Korean leader Kim Jong Un. The reconnaissance phishing campaign used customized URLs with landing pages that impersonated branded job posting sites.
“If a victim interacted with the URL, which contained a unique target ID, the server resolving the domain would have received confirmation that the email was delivered, and the intended target had interacted with it,” said researchers. “This request also provides identifying information about the computer, or device, allowing the host to keep track of the intended target.”
Researchers said they observed shared indicators of compromise between this attack and the “Operation Dream Job” campaign that was disclosed on March 24 by the Google Threat Analysis Group (though journalism and media were not listed by Google TAG for Operation Dream Job’s targeted sectors).
Threat actors have also posed as well-known media organizations and journalists in order to target organizations that they interact with. Iran-aligned threat actor TA457 delivered malware to public relations teams for companies located in the U.S., Israel and Saudi Arabia since late 2021, for instance. In March, the threat actor sent an email with the subject line “Iran Cyber War,” which contained a URL ultimately delivering a remote access trojan that used DNS tunneling to a hardcoded domain. Another Iran-aligned actor, TA456 (also known as Tortoiseshell) was also observed sending newsletters purporting to be from media organizations like Fox News and the Guardian to various targets.
Despite the continued targeting of journalists and other high-risk victims by APTs, tech companies are also taking steps to offer protections against these types of attacks. Apple recently announced a set of security capabilities for iOS 16 called Lockdown Mode, which is meant specifically for journalists, and political dissidents, and will severely restrict the functionality of iPhones when it’s enabled. Meanwhile, Google in June applied its Safe Browsing protection feature to more than 30 domains linked to several hack-for-hire operations that were being used to target journalists.
“The varied approaches by APT actors—using web beacons for reconnaissance, credential harvesting, and sending malware to gain a foothold in a recipient’s network—means those operating in the media space need to stay vigilant,” said Proofpoint researchers. For individual journalists, “assessing one’s personal level of risk can give an individual a good sense of the odds they will end up as a target.”