APT groups are increasingly targeting journalists and impersonating media outlets, according to new research from Proofpoint.
The groups – who are state-based or state-aligned actors, are looking to gain access to sensitive information and sources, manipulate news and deceive public relations and other industry professionals into thinking that they are dealing with legitimate news outlets.
According to researchers at Proofpoint, there has been a “sustained effort” by APT actors to “target or leverage journalists and media personas.” These attacks increased around the US election in 2021, with a particular focus on US-based journalists covering national security and politics.
Some APT groups are using phishing and other techniques to gain access to journalists’ email and communications and to carry out reconnaissance on their network and working environments. They are also targeting reporters’ social media accounts.
Others are using fake newsletters, purporting to come from well-known media brands, to lure in experts across a range of industries, especially in the US, Middle East and Israel.
And some are using fake journalists’ identities to target experts in academia and policy, again especially in the Middle East. Proofpoint believes these are credential harvesting attacks.
The researchers identified the Chinese group TA412, aka Zirconium, as targeting US-based journalists, to validate targeted emails. The group is using web beacon techniques.
Another Chinese group, TA459, stands accused of spreading the Chinoxy malware that sets up a back door on victims’ machines. In Turkey, group TA482 was found to be involved in credential harvesting. Proofpoint assessed that TA482 is aligned with the Turkish state.
The researchers also identified a further group, TA453 or Charming Kitten, which they believe supports the Iranian Revolutionary Guard Corps. This group, they say, routinely poses as journalists to set up conversations with target individuals involved in Middle Eastern affairs.
A further Iranian group, TA456 or Tortoiseshell, is thought to be behind fake newsletters designed to look as if they come from Fox News or The Guardian. And TA457 is claimed to pose as “iNews Reporter” to PR personnel in the US, Israel and Saudi Arabia.
“Cyber-criminals are increasingly leveraging journalists’ public profiles to dupe targets; organizations need to carry out some fact-checking of their own to verify identities before responding or sharing sensitive information,” warned Christian Borst, CTO EMEA at security vendor Vectra AI.
“The more sophisticated the attacker, the better the impersonation is tailored to the context. Whether one is impersonating a C-Level [executive], a family member in need, a parcel delivery service, or a journalist all depends on the context and the target.”