How hostile government APTs target journalists for cyber intrusions

The past 18 months have seen a series of sustained and ongoing cyber campaigns by state-aligned threat actors targeting journalists and media organisations around the world, which show no sign of letting up, according to security firm Proofpoint.

The firm’s research team today (14 July) published new analysis revealing how advanced persistent threat (APT) groups with links to China, Iran, North Korea, Russia and Turkey have been both targeting and posing as journalists to advance their goals.

While the media sector is vulnerable to exactly the same cyber threats as any other – ransomware attacks, and so on – APT groups target it for slightly different purposes, which could have far-reaching impacts on the lives of millions, making it extremely important for media organisations and journalists to protect themselves, their sources, and the integrity of the information they hold.

The sector is particularly valued by state-backed APT actors for several reasons, chiefly because journalists, if compromised, can provide access and information that could prove highly valuable.

Most commonly, said Proofpoint, cyber attacks on journalists are used for espionage or to gain insight into the inner workings of governments or organisations of interest to the attackers.

A well-timed and successful attack on a journalist’s email account could also provide data on political stories that might be damaging to the APT’s paymasters, or enable them to identify and expose activists, political dissidents or whistleblowers.

Compromised accounts can also be used to spread disinformation or propaganda on stories that are potentially damaging to the regime, such as China’s persecution of its Muslim minority in Xinjiang or its abrogation of its commitments to democracy in Hong Kong.

“In an era of digital dependency, the media, like the rest of us, is vulnerable to a variety of cyber threats,” said Sherrod DeGrippo, Proofpoint’s vice-president of threat research and detection.

“Some of the most potentially impactful are those stemming from APT actors. From reconnaissance activity prior to the 6 January 2021 riot to credential harvesting and delivering malware, Proofpoint is disclosing for the first time some specific APT activity targeting or posing as members of the media.”

Proofpoint’s researchers focused on the activities of a handful of APT actors linked to the regimes in China, North Korea, Iran and Turkey.

Its report reveals how China-backed TA412 (aka Zirconium) APT targeted US-based journalists using malicious emails containing web beacons/tracking pixels – hyperlinked non-visible objects in the body of an email which, when enabled, attempt to retrieve a benign image file from an actor-controlled server.

This campaign was probably intended to validate that their targeted email accounts are active and to gather information about the recipients’ network environments, such as externally visible IP addresses, user-agent strings and email addresses.

The nature of this campaign shifted over its duration, with lures constantly changing to fit the current political environment in the US, while TA412 also switched up its list of targets depending on what the Chinese government was interested in at the time.

Most notably, between January and February 2021, TA412 focused on journalists covering US politics and national security.

A very abrupt shift in targeting took place immediately before the 6 January 2021 insurrection that saw a pro-Trump mob storm the Capitol in Washington DC in an attempt to halt the certification of Joe Biden and change the result of the 2020 election, when TA412 started to show a particular interest in Washington and White House correspondents specifically, using subject lines pulled from relevant news articles as lures.

Meanwhile, the Proofpoint team observed multiple Iran-aligned APTs using journalists and newspapers as pretexts to surveil targets and attempt to steal their credentials. Probably the most active is TA453 (aka Charming Kitten), which is thought to be aligned with the intelligence operation of Iran’s Islamic Revolutionary Guard Corps.

TA453 was observed masquerading as journalists from all over the world to engage in ostensibly benign conversations with its targets, including academics and experts in Middle Eastern affairs. These journalist personas, and their targets, were well researched to increase the likelihood that their approaches, flattery and deception would be believed.

During their conversation with the fake journalist, the target would typically receive a benign PDF file, usually delivered from a legitimate file-hosting service, that contained a link to a URL shortener and IP tracker, and redirected the target to a credential harvesting domain controlled by TA453.

A second Iranian actor, TA456 (aka Tortoiseshell) was also observed masquerading as multiple news organisations including Fox News and the Guardian, to spread web beacons, similar to the Chinese group, probably to conduct reconnaissance before attempting to deliver malware, while a third operation, tracked as TA457, posed as an “iNews Reporter” to target internal public relations staffers at companies in Israel, Saudi Arabia and the US, using the subject line “Iran Cyber War” as a lure. This particular campaign was spotted by Proofpoint when TA457 targeted a number of its customers.

Lazarus has entered the chat

In the case of North Korea, it is perhaps little surprise to see TA404 – more widely known as Lazarus – involved in targeting the media sector.

In one incident observed by Proofpoint’s team, Lazarus trained its sights on a US media organisation that had published an article critical of North Korean dictator Kim Jong Un – an act that frequently causes North Korean APTs to take action. The campaign began with reconnaissance phishing, using URLs customised to its targets, masquerading as a job opportunity – a favoured tactic of Lazarus.

If the target interacted with the URL, the server resolving the domain received confirmation that the email was delivered and interacted with, along with identifying information about the target’s device.

Proofpoint said it had not seen any follow-up emails in this campaign, but given Lazarus’ well-documented fondness for malware, it is likely they would have tried to deliver some eventually.

In the case of Turkey – which as a Nato country is not typically regarded as a hostile state, although it has been drifting towards authoritarianism – an APT tracked as TA482 has been regularly observed targeting journalists’ social media accounts in a credential theft campaign.

TA482 is not definitively linked to the Turkish government, but it uses services based in the country to host its domains and infrastructure, and Turkey has a history of exploiting social media to spread propaganda favourable to its hardline president, Recep Tayyip Erdogan, and the ruling party, so it is highly likely that it is aligned with the state.

In one TA482 campaign observed this year, the group targeted the Twitter credentials of multiple journalists in both well-known and less prominent media outlets. Its lures were themed as Twitter security alerts concerning, ironically, a suspicious login to their account. Clicking the link in the email sends its target to a TA482-controlled landing page that impersonates Twitter’s password reset function.

Proofpoint said it could not necessarily verify the motivation behind this campaign, but based on what is known of Turkey’s APT scene – not one of the world’s most prominent – TA482 is likely trying to get access to journalists’ contacts through their direct messages or hijack the accounts altogether to deface them and spread pro-Erdogan propaganda ahead of parliamentary and presidential elections to be held in 2023.

Soft targets

Proofpoint’s research team said it was certain that nation-state APTs will continue to target journalists and media organisations, regardless of their affiliation, because their usefulness in terms of opening doors to other targets is unparalleled.

Also, many are perhaps less likely to have paid appropriate attention to cyber security than, for example, a government entity with hardened defences, so APTs targeting journalists are less likely to be discovered.

In effect, attacks on journalists and media outlets are somewhat akin to supply chain attacks, such as those that wrought havoc among the customers of Kaseya and SolarWinds in the past two years.

As the team’s research demonstrates, because so many different approaches are used, it is vital that those operating in the media space remain vigilant.

“Assessing one’s personal level of risk can give an individual a good sense of the odds they will end up as a target,” the team wrote in their summing up.

“If you report on China or North Korea or associated threat actors, you may become part of their collection requirements in the future.

“Being aware of the broad attack surface – all the varied online platforms used for sharing information and news – that an APT actor can leverage is also key to preventing oneself from becoming a victim.

“And ultimately, practising caution and verifying the identity or source of an email can halt an APT attack in its nascent stage.”

Proofpoint’s full write-up, which includes multiple screengrabs drawn from some of its observed campaigns, can be found here.

Leave a Reply

Your email address will not be published. Required fields are marked *