Hackers Pose as Journalists and Media Organizations to Deploy Malware

Media organizations and journalists are subjected to a wide range of threats throughout their careers that all other individuals face. 

There have been many reports in the past few years about journalists and media organizations being targeted by state-aligned actors who are involved in the APT threat groups that originate from the following countries:-

  • China
  • North Korea
  • Iran
  • Turkey

Threat actors target all of these targets since they have access to non-public information at their disposal. Threat actors may be able to extend and boost their illicit cyberespionage operations with the help of this opportunity.

Illicit activity

There are several APT groups that are impersonating or targeting journalists in the present day, and Proofpoint analysts have been tracking these activities from 2021 and into 2022.

Since early 2021, there has been a confirmed case of an American journalist being targeted by a cyber threat known as ‘Zirconium’ (TA412) that is reportedly linked to China. Their emails contained trackers, which alerted them if a message was viewed, and they used these tools to track them.

The threat actor also obtained the public IP address of the target as a result of this simple trick. This information would enable them to gain more information about the victim, including the location of the victim as well as the ISP.

Email accounts of journalists were targeted

People working in the media sector have access to many opportunities that may not be available to other sectors of the economy. It is possible to gain sensitive information from a journalist’s email account if an attack is well timed and successful.

During the course of gathering information, journalists often interact with several types of entities and parties like:-

  • External parties
  • Foreign parties
  • Semi-anonymous parties

As a result of this, journalists are at an increased risk of being phished, and scammed as they are almost always communicating with unknown recipients more than the average person.

Threat actors can offer an entry point for later-stage attacks if they can verify or gain access to such accounts and use them to gain access to other networks as well.

As the purpose of these campaigns is to verify the targeted emails that are active and to gain some understanding of the recipient’s networks, they have been designed to validate the effectiveness of targeted emails. 

The following technical artifacts can be provided by web beacons to an attacker, which can be used by the threat actor for reconnaissance purposes as their next stage of the attack is planned:

  • Externally visible IP addresses
  • User-Agent string
  • Email address 
  • Validation that the targeted user account is active

Groups involved

The same tactics were employed by Zirconium again in February 2022, with a focus on journalists covering the Russia-Ukraine conflict as the target.

Here below we have mentioned all the groups involved:-

  • TA412 (Zirconium)
  • TA459
  • TA404
  • TA482
  • TA453 (Charming Kitten)
  • TA456 (Tortoiseshell)
  • TA457

The TA459 group was observed by Proofpoint in April 2022 as part of its ongoing analysis of the Chinese APT threat. As per reports, the Chinoxy malware was embedded in RTF files that were being sent out to reporters. While this could be exploited by the reporters by means of the Chinoxy malware embedded in the RTF files.

Hackers associated with the TA404 group from North Korea were also observed posing as journalists using fake job postings in the spring of 2022.

As part of TA482, Turkish threat actors staged campaigns aimed at harvesting credentials from journalists’ social media accounts that attempted to steal their credentials.

In the future, it is expected that APTs will continue to target journalists with various social engineering techniques, phishing tricks, and malware droppers.

A media organization and its employees are accessible to the general public, which is unfortunate. The implication of this is that they may become victims of social engineering in the sense that sensitive information may be compromised as a result of being compromised.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.