Proofpoint IT security researchers have witnessed various state-sponsored hacker groups targeting journalists for espionage, spreading malware and infiltrating media organization networks.
Journalists and media organizations are attractive targets for cybercriminals. Proofpoint researchers have observed that APT cybercriminals, particularly those sponsored by or affiliated with a state, routinely impersonate or target journalists or media organizations. The media sector and the people working there can open doors that remain closed to others.
Targeted attacks on journalists' email accounts
A well-timed, successful attack on a journalist's email account can provide insight into sensitive, (yet) unpublished stories and source identification. A compromised account can be used to spread disinformation or pro-state propaganda, deliver disinformation in times of war or pandemic, or influence a politically charged atmosphere. The most common uses of phishing attacks targeting journalists are for espionage or to gain critical insight into the inner workings of another government, corporation, or other area of government concern.
Espionage, disinformation, state interests
Data, which Proofpoint has been investigating since early 2021, shows that cybercriminals worldwide are attempting to target or exploit journalists and media personalities in a variety of campaigns, including those timed to coincide with sensitive political events in the United States. Some campaigns have targeted media to gain an intelligence competitive advantage, while others have targeted journalists reporting to paint a regime in a bad light or spreading disinformation. In their report, Proofpoint experts focus on the activities of a handful of Advanced Persistent Threats (APT) actors that they believe are linked to the state interests of China, North Korea, Iran and Turkey.
Results of the expert investigation
- Media professionals are an attractive target because they have exclusive access to information and insights into issues that can potentially affect state security.
- APT actors routinely target or impersonate journalists and media organizations to further their state-backed campaigns.
- The identified campaigns employed a variety of techniques, from using web beacons to sending malware, to gain initial access to the target person's or organization's network.
- APTs' focus on the media is unlikely to ever diminish, which is why it's important for journalists to protect themselves, their sources, and the integrity of their information.
- APT groups, backed by China, North Korea, Iran and Turkey, target journalists' work emails and social media accounts for sensitive information and further access to their organizations provide.
- Various Iran-affiliated cybercriminals such as Charming Kitten (TA453) and Tortoiseshell (TA456) have posed as journalists for publications such as The Guardian, The Sun, Fox News and The Metro. The attacks targeted academics and foreign policy experts worldwide to gain access to sensitive information.
- China-allied group TA412 increased its activities just days before the January 6, 2021 attack on the US Capitol. Proofpoint researchers observed a concentration of the group on Washington DC and White House correspondents during this period. The same group resumed its attacks in early 2022, focusing on reporters covering US and European involvement in Russia's war against Ukraine.
- The North Korean Lazarus Group (TA404) attacked a US media outlet with a phishing campaign related to job vacancies. This attack came after the organization published an article criticizing North Korean leader Kim Jong Un - a known motive for actions by North Korea-allied APT actors.
- Cyber criminals allied with the Turkish state have focused their efforts on gaining access to journalists' social media accounts, likely with the aim of spreading pro-Erdogan propaganda and establishing further contacts.
About Proofpoint Proofpoint, Inc. is a leading cybersecurity company. The focus for Proofpoint is the protection of employees. Because these mean the greatest capital for a company, but also the greatest risk. With an integrated suite of cloud-based cybersecurity solutions, Proofpoint helps organizations around the world stop targeted threats, protect their data, and educate enterprise IT users about the risks of cyberattacks.