At Least Four Nations Have Mobilized State-Sponsored Hackers in Cyber Espionage Campaigns Against Journalists

by | Jul 25, 2022

Cyber espionage campaigns directed at journalists are becoming more common around the world, according to a new report from Proofpoint. State-sponsored hackers from at least four countries have been observed targeting members of the media, looking to snag secrets from their inboxes and expand farther into the networks of news outlets.

Report documents cyber espionage campaigns against journalists in four countries

Proofpoint has observed journalists being targeted by state-sponsored hackers in China, North Korea, Turkey and Iran. While these are certainly not the only countries in which this sort of cyber espionage is being conducted (as the recent Pegasus spyware scandals have shown), these four appear to be among the most active and are bringing experienced advanced persistent threat (APT) to bear on members of the media.

Each country has its own approach. For example, North Korea’s state-sponsored hackers seem just as interested in stealing money as they are in cyber espionage. The Lazarus APT group, well known for capturing large sums of money from a variety of targets over the past decade, has been spotted targeting United States media figures with fake stories about their leader Kim Jong Un. However, it is unclear whether they are more interested in stealing secrets or leveraging this access for profit; they have been consistently attacking a wide variety of targets for years.

Turkey’s state-sponsored hackers have also been very broad in their target selection, but have more of a focus on media figures. They are also specifically interested in Twitter credentials, something not usually targeted for profit. The Turkish hackers send journalists a fake email that purports to be from Twitter, claiming that suspicious login attempts have taken place and prompting them to change their password. This indicates a cyber espionage focus as the hackers are likely looking to browse DMs for non-public information and possibly use the account to communicate with other targets.

Iran’s “Charming Kitten” band of state-sponsored hackers lives up to the moniker by pretending to be journalists with legitimate media outlets (most frequently the UK’s Metro), approaching legitimate media figures with requests to discuss a story. They will then attempt to pass malicious documents at some point in the conversation.

China has the most aggressive and extensive cyber espionage operation yet spotted, however. It has at least two of its most experienced teams of state-sponsored hackers on the task of targeting journalists, with one group focusing on the US and the other thus far appearing to be working in Pakistan and seeking information pertaining to Afghanistan. The group working in the US appears to be most interested in reporters that cover China and Russia.

State-sponsored hackers target individual journalists with advanced capabilities

Aside from North Korea’s usual money-making schemes, most of these state-sponsored hackers appear to be looking for the identity of anonymous sources and any “off-the-record” information they can glean from email inboxes and social media accounts. Some look to penetrate further into news networks, however, in what security analysts think may be a bid to hijack them during an opportune moment.

The report did not get deep into methods used by these attackers, but given that these campaigns track back to early 2021 it is possible that Pegasus or a similar vendor-provided spyware was involved in at least some cases. However, it does not mention the deployment of Pegasus on the devices of any US journalists.

Recent Posts

How can we help?

13 + 2 =

× How can I help you?