Cyber Espionage campaigns continue to target journalists and media

Media organizations and journalists have been increasingly targeted by state-sponsored advanced persistent threat actors with a clear purpose of obtaining access to their sensitive information, spying on their activities or even identifying their sources. In addition, compromised journalist accounts might also be used for spreading disinformation or pro-state propaganda.

The state-sponsored campaigns are namely China’s TA412 called Zirconium and TA459 i.e., Chinoxy, North Korea’s TA404 also known as Lazarus, Turkey’s TA482, Iran’s TA453 known as Charming Kitten, TA456 i.e., TortoiseShell and TA457.

Zirconium has been targeting American journalists since 2021. The actor, aligned with Chinese state interests, has often used emails to target people with web beacons before fully compromising them. TA412 launched at least five campaigns targeting American journalists covering U.S. politics and national security during events such as the attack on Jan. 6 of the Capitol.

In 2022, the threat actor targeted journalists reporting on American and European engagement in the anticipated Russo-Ukrainian War. Meanwhile, the threat actor TA459 targeted media employees with emails containing a malicious RTF attachment. Once opened, it would install and run a malware known as Chinoxy.

In early 2022, threat actor TA404, also known as Lazarus, created fake job offer pages designed to look like a branded job posting website in a campaign dubbed Operation Dream Job. Links to these pages were sent to American targets belonging to a media organization which had published an article that was critical of North Korean leader Kim Jong-un.

TA482 is a threat actor targeting the social media accounts of American journalists and media organizations. The threat actor aligns with Turkish state interests. In early 2022, TA482 used social engineering to send an email supposedly from Twitter’s Security Center, warning the user of a suspicious connection.

TA453, also known as Charming Kitten, routinely disguises as journalists from around the world. The threat actor starts friendly conversations with its targets, who are mostly academics and policy experts working on Middle Eastern foreign affairs.

TortoiseShell, also known as TA456, is another actor from Iran who targets media organizations via other attack campaigns. The threat actor targets users with newsletter emails containing web beacons before compromising these users via malware infection.

TA457 disguises as an iNews reporter to deliver malware to people responsible for public relations in American, Israeli and Saudi Arabian companies. Between September 2021 and March 2022, the threat actor ran attack campaigns approximately every two to three weeks, targeting both generic and individual email addresses at these media organizations.