Hackers Pretend to Be Journalists to Gain Access to Information

Proofpoint analysts write that hackers pretend to be journalists in order to get information from other journalists and the media. Journalists and media companies remain a constant target for attacks by government hackers (including those from China, North Korea, Iran, Turkey and Russia).

Interestingly, in an attempt to penetrate the networks of these organizations, which often have unique access to classified information, the attackers themselves pretend to be members of the media.

In their report, the researchers talk about several hack groups that at once posed as journalists or harassed them in 2021-2022.

For example, since the beginning of 2021, the Chinese group Zirconium (TA412) has been attacking American journalists with emails containing special trackers that tell the attackers that the messages have been viewed. This simple trick allowed attackers to learn the target’s IP address, from which they could obtain additional information, such as the victim’s location and ISP.

In April 2022, Proofpoint discovered another Chinese group (TA459) that attacked the media using RTF files that, when opened, infected the victim’s machine with Chinoxy malware. This group mainly attacked publications interested in the foreign policy of Afghanistan.

In addition, in the spring of 2022, North Korean hackers from the TA404 group were also seen attacking media workers and using fake job advertisements for this. Whereas Turkish attackers from the TA482 group organized campaigns to collect credentials, seeking to hack journalists’ social media accounts.

However, not all hackers try to break into journalists’ accounts. Instead, some pose as members of the media themselves to make contact with their targets. Proofpoint writes that this tactic is mainly used by Iranian hackers such as TA453 (this group is also known as Charming Kitten), who send letters to scholars and experts on Middle East politics, posing as journalists.

Another good example of such attacks is the TA456 (aka Tortoiseshell) group, which disguises their emails as newsletters from the Guardian and Fox, hoping this will help deliver the malware to the victims.