State-Sponsored Hackers Target Journalists in Extensive Espionage Efforts

In an alarming uptick in cyber warfare, state-sponsored hacking groups linked to China, Iran, North Korea, and Turkey have increasingly targeted journalists for espionage and malware distribution since early 2021. These coordinated efforts focus on infiltrating the communications of media personnel, which presents a unique opportunity for gathering sensitive information.

According to a recent report from Proofpoint, phishing attacks are particularly prevalent in these campaigns, aiming to extract critical insights from media professionals about government operations and private sector activities. The firm named these intrusions “sustained,” indicating an ongoing effort to gain competitive intelligence or disseminate disinformation.

Among the identified threat actors are two Chinese hacking groups: TA412, known as Zirconium or Judgment Panda, and TA459. Both organizations have targeted journalists with emails laced with web beacons and malicious documents. Their goal is to infiltrate the recipient’s network and deploy Chinoxy malware. This use of initial access tactics is characteristic of advanced persistent threats (APTs), aiming to establish a foothold within vulnerable systems.

Similarly, the Lazarus Group, affiliated with North Korea, has employed job-related phishing schemes to exploit a U.S.-based media organization, particularly after critical coverage of the country’s leadership. This method exemplifies both initial access and persistence tactics, reflecting the group’s reliance on social engineering to achieve its aims.

Additionally, U.S. media organizations have encountered threats from a pro-Turkey group, TA482, which has orchestrated credential harvesting attacks targeting Twitter accounts through deceptive landing pages. The researchers speculate that compromised accounts may be leveraged to access a journalist’s social media networks, potentially for malicious defacement or propaganda dissemination.

Proofpoint also highlighted the activities of several Iranian APT actors, including Charming Kitten, which have masqueraded as journalists to trick academics into clicking on links that lead to credential harvesting sites. This tactic reflects a broader strategy of impersonation as a means of initial access, underscoring the depth of the threat landscape.

Further complicating matters, the Tortoiseshell group has impersonated various media organizations, like Fox News and the Guardian, to deliver newsletter-themed phishing emails containing web beacons. In another similar strategy, TA457 posed as an “iNews Reporter,” distributing a .NET-based DNS Backdoor to public relations personnel in the U.S., Israel, and Saudi Arabia.

The rise in targeted assaults on journalists is largely due to their access to sensitive and unique information, making them valuable assets for intelligence gathering. A successful breach of a journalist’s email account could yield insights into emerging stories, identify sources, or aid in the dissemination of false information—especially significant during crises or politically charged periods.