Targeted phishing attacks are traced to multiple threat actors who have each independently focused on stealing credentials and sensitive data and tracking the geolocation of journalists.
In a Thursday report by Proofpoint, researchers outline individual efforts by advance persistent threat (APT) groups who they say are aligned with China, North Korea, Iran and Turkey. Attacks began in early 2021 and are ongoing, researchers said.
According to the report, the APTs are acting independently of each other but share the same overall goal of targeting journalists. Tactics are also similar, with threat actors targeting email and social-media accounts as phishing inroads in cyberespionage campaigns.
Often posing as journalists themselves, the threat actors have focused on phishing campaigns with the goal of credential harvesting, theft of data helpful to specific regimes and digital surveillance of political journalists.
APT Tradecraft: The Phish
The attacks typically involved some type of social engineering to lower the guard of targets in order to coax them to download and execute various malicious payloads onto their personal digital devices, researchers said. Lures included emails and messages sent via various social media platforms on topics related to their area of political focus, researchers said.
[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.]
In various instances the attackers would lie low, post malware infection, in order to gain persistence on a recipient’s network and conduct lateral network reconnaissance and propagate additional malware infections within the target’s network.
Secondary tactics included tracking or surveilling journalists. Proofpoint said adversaries used web beacons planted on journalists’ devices to carry out the surveillance.
Journalist Have Been Targeted Before, But Not Like This
While the latest report tracks some of the most recent activity against journalists, targeting this group of individuals certainly isn’t novel, given the type of information to which journalists have access to when it comes to political and socio-economic issues, they noted.
“APT actors, regardless of their state affiliation, have and will likely always have a mandate to target journalists and media organizations and will use associated personas to further their objectives and collection priorities,” researchers wrote.
Moreover, this focus on media by APTs is unlikely to ever wane, which should inspire journalists to do everything they can to secure their communications and sensitive data, they said.
China-backed APTs Strike in U.S.
Between January and February 2021, Proofpoint researchers identified five campaigns by
Chinese APT TA412, also known also as Zirconium, targeting US-based journalists, most notably those covering U.S. politics and national security during events that gained international attention, researchers said.
The way the campaigns were crafted depended upon the current U.S. political climate, and attackers switched targets depending on which journalists were covering topics in which the Chinese government has interest, they said.
One reconnaissance phishing campaign occurred in the days immediately preceding the Jan. 6 attack on the U.S. Capitol building, with attackers focusing specifically on White House and Washington-based correspondents during this time, they said.
Attacker used subject lines pulled from recent U.S. news articles related to pertinent political topics at the time, including actions of former President Donald Trump, U.S. political movements related to China and, more recently, the U.S. stance and involvement in Russia’s war against Ukraine, researchers said.
Varying Payloads
In the observed campaigns, Zirconium used as its payload web beacons, a tactic consistent with malicious cyberespionage campaigns against journalists that the APT has conducted since 2016, researchers said.
Web beacons, commonly referred to as tracking pixels, tracking beacons, or web bugs, embed a hyperlinked non-visible object within the body of an email that, when enabled, attempts to retrieve a benign image file from an actor-controlled server.
“Proofpoint researchers assess these campaigns have been intended to validate targeted emails are active and to gain fundamental information about the recipients’ network environments,” they wrote.
Researchers observed another Chinese-backed APT, TA459, in late April 2022 targeting media personnel in Southeast Asia with emails containing a malicious Royal Road RTF attachment, if opened, would install and execute Chinoxy malware–a backdoor that is used to gain persistence on a victim’s machine.
The targeted entity was responsible for reporting on the Russia-Ukraine conflict, which aligns with TA459’s historic mandate of collecting on intelligence matters related to Russia and Belarus, researchers noted.
Fake Job Opportunities from North Korea
Researchers also observed North Korea-aligned TA404—better known as Lazarus–in early 2022 targeting a U.S.-based media organization with phishing attacks that appeared to offer job opportunities from reputable companies to journalists, they reported. The attack is reminiscent of a similar one against engineers that the group mounted in 2021.
“It started with reconnaissance phishing that used URLs customized to each recipient,” researchers wrote of the recent phishing campaign. “The URLs impersonated a job posting with landing pages designed to look like a branded job posting site.”
The sites were fraudulent, however, and the URLs were armed to relay identifying information about the computer, or device someone was working from to allow the host to keep track of the intended target, researchers said.
Turkey-backed APT Targets Twitter Credentials
APTs with alleged ties to Turkey’s government have also targeted journalists, with one campaign including one “prolific threat actor” TA482 observed by Proofpoint. According to researchers, the APT has been actively targeting journalists since early 2022, via Twitter accounts in efforts to steal credentials from mainly U.S.-based journalists and media organizations.
The motive behind the group appears to be to spread propaganda in support of President Recep Tayyip Erdogan the Turkish ruling political party, Justice and Development Party, though this cannot be confirmed with certainty, researchers noted.
The campaigns use phishing emails typically related to Twitter security—alerting a user to a suspicious log-in–to gain the recipient’s attention, taking them to a credential harvesting page that impersonates Twitter if they click on a link.
Iranian APTs Harvest Credentials
Iran-linked APTs have been particularly active on their assault against journalists and newspapers, typically posing as journalists themselves in attacks to engage in surveillance against targets and harvest their credentials, Proofpoint has found.
One of the most active perpetrators of these attacks is TA453, known as Charming Kitten, a notorious group aligned with intelligence collection efforts of Iran’s Islamic Revolutionary Guard Corp, Proofpoint said.
This group is notorious for masquerading as journalists from around the world to target journalists, academics and researchers alike by engaging in discussion about
foreign policy or other topics related to the Middle East, after which they will be invited to a virtual meetings via a customized, but benign PDF.
However, the PDF—typically delivered from file hosting services—almost always contains a link to a URL shortener and IP tracker that redirects targets to actor-controlled credential-harvesting domains, researchers said.
TA456, also known as Tortoiseshell, is another Iran-aligned threat actor that routinely poses as media organizations to target journalists with newsletter-themed emails containing web beacons that can track targets.
Another Iranian state-sponsored actor, TA457, hides behind the persona of a fake media organization called “iNews Reporter” to deliver malware to public relations personnel
for companies located in the United States, Israel and Saudi Arabia, researchers said. Between September 2021 and March 2022, Proofpoint observed campaigns by the prolific threat actor that occurred approximately every two to three weeks, they said.
In one campaign that occurred in March 2022, TA457 sent an email with the ironic subject line “Iran Cyber War” that ultimately dropped a remote access trojan on victims’ machines. The campaign was seen targeting both individual and group email addresses at a handful of Proofpoint customers involved in energy, media, government and manufacturing, researchers reported.
[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.]