Nation-state hacking teams aligned with China, Iran, North Korea, and Turkey have been concentrating on journalists to conduct espionage and unfold malware as a part of a collection of campaigns since early 2021.
“Mostly, phishing assaults concentrating on journalists are used for espionage or to achieve key insights into the internal workings of one other authorities, firm, or different space of state-designated import,” Proofpoint stated in a report shared with The Hacker Information.
The last word aim of the intrusions, the enterprise safety agency stated, is to achieve a aggressive intelligence edge or unfold disinformation and propaganda.
Proofpoint stated it recognized two Chinese language hacking teams, TA412 (aka Zirconium or Judgment Panda) and TA459, concentrating on media personnel with malicious emails containing internet beacons and weaponized paperwork respectively that have been used to amass details about the recipients’ community environments and drop Chinoxy malware.
In an identical vein, the North Korea-affiliated Lazarus Group (aka TA404) focused an unnamed U.S.-based media group with a job offer-themed phishing lure following its crucial protection of supreme chief Kim Jong Un, as soon as once more reflective of the menace actor’s continued reliance on the method to additional its aims.
U.S.-based journalists and media have additionally come underneath assault from a pro-Turkey hacking group referred to as TA482, which has been linked to a credential harvesting assault designed to siphon Twitter credentials through bogus touchdown pages.
“The motivations behind these campaigns […] might embrace utilizing the compromised accounts to focus on a journalist’s social media contacts, use the accounts for defacement, or to unfold propaganda,” the researchers theorized.
Lastly, Proofpoint highlighted makes an attempt on the a part of a number of Iranian APT actors corresponding to Charming Kitten (aka TA453) by masquerading as journalists to entice lecturers and coverage consultants into clicking on malicious hyperlinks that redirect the targets to credential harvesting domains.
Additionally becoming a member of this record is a menace actor named Tortoiseshell (aka TA456 or Imperial Kitten) that is stated to have “routinely” impersonated media organizations like Fox Information and the Guardian to ship newsletter-themed emails containing internet beacons.
The third Iran-aligned adversary to observe an an identical method is TA457, which posed as an “iNews Reporter” to ship a .NET-based DNS Backdoor to public relations personnel for firms within the U.S., Israel, and Saudi Arabia.
The truth that journalists and media entities have grow to be the locus of assaults is underscored by their skill to supply “distinctive entry and knowledge,” making them profitable targets for intelligence gathering efforts.
“A well-timed, profitable assault on a journalist’s e-mail account might present insights into delicate, budding tales and supply identification,” the researchers stated. “A compromised account may very well be used to unfold disinformation or pro-state propaganda, present disinformation throughout instances of battle or pandemic, or be used to affect a politically charged environment.”