What US Journalists Need To Know About The The Foreign Hackers Targeting Them

In the days just before the January 6 attack at the US Capitol Building in 2021, a flurry of emails with seemingly anodyne subject lines started landing in the inboxes of White House correspondents and other journalists who cover national politics. Those subject lines, pulled from recent US news articles, read like quick blasts of news filtered through a distinctly partisan lens: US issues Russia threat to China. Trump Call to Georgia Official Might Violate State and Federal Law. And, Jobless Benefits Run Out as Trump Resists Signing Relief Bill.

In reality, those were emails sent by Chinese hackers, part of a sprawling intelligence collection campaign detailed in recent days by ProofpointPFPT
cybersecurity researchers. Such activity especially ramped up around January 6, some of which was driven by perplexed foreign interests that wanted to try and gain real-time insight into what was happening on the ground — and what it might portend for the US.

More ominously, though, that specific effort was just one of a multitude of state-backed hacking campaigns targeting US-based journalists tracked by the Proofpoint team. And not only have those efforts intensified in recent years, to include cyberattacks originating everywhere from North Korea to Iran that target US journalists.

Ominously, Proofpoint’s newly released analysis has also found these and other hackers relying on a sophisticated suite of tools including phishing emails as recently as just a few weeks ago, all in an effort to burrow into computer systems and access sensitive information that journalists via their high-profile sources are often privy to.

Hackers, regardless of state affiliation, “have and will likely always have a mandate to target journalists and media organizations and will use associated personas to further their objectives and collection priorities,” Proofpoint’s report warns. “From intentions to gather sensitive information to attempts to manipulate public perceptions, the knowledge and access that a journalist or news outlet can provide is unique in the public space.

“Targeting the media sector also lowers the risk of failure or discovery to an (advanced persistent threat) actor than going after other, more hardened targets of interest, such as government entities.”

This is why Turkish hackers earlier this year, for example, were found trying to compromise the social media accounts of journalists and academics in an attempt to disseminate propaganda that favors the country’s regime under President Recep Erdogan. Along those same lines, a Chinese hacking group known alternately as TA412 and Zirconium has since early 2021 engaged in phishing reconnaissance against US journalists.

This Chinese group is believed to have “strategic espionage objectives,” according to Proofpoint, and laces emails sent to its targets with tracking pixels. The group’s stealth campaigns are also sophisticated enough that the hackers will tweak the email “dangles” that they use to lure targets with, depending on how the US political environment changes — and depending on the ever-shifting interest priorities of the Chinese government.

Then there’s the collective of Iranian hackers identified in Proofpoint’s research as TA453 (aka “Charming Kitten”) — a hacking group that “routinely masquerades as journalists from around the world.” These attackers are believed to support the intelligence collection efforts of the Islamic Revolutionary Guard Corps, and they routinely target unsuspecting academics and Middle East foreign affairs policy experts.

All of that, and more, in the Proofpoint research begs an obvious question:

If that’s the well-resourced threat landscape that journalists face, is vulnerability to those hacks, threats, intrusions, and attacks a foregone conclusion? What chance does a reporter with a deadline always looming — and who uses a company email account —stand against shadow armies of state-backed hackers?

“There are a number of ways journalists can protect themselves from APT attacks,” Sherrod DeGrippo, Proofpoint vice president of threat research and detection, told me. “One is for journalists and their associated outlets to understand their overall level of risk. For example, we have seen targeted attacks against academics and foreign policy experts, particularly those working on Middle Eastern foreign affairs, so individuals in this line of work should be particularly cautious.

“Another is if journalists are going to use email addresses outside of their corporate domain, such as Gmail or ProtonMail, they should list those publicly on their website so public sources can verify whether or not it’s a legitimate email. Conversely, experts approached by journalists should check the journalist’s website to see if the email address belongs to the journalist.”

DeGrippo continues that it’s also up to organizations including media groups “to gain a clear understanding of who their most attacked people are within the organization, that way they can define and set specific levels of security to make sure potential targets are well protected. We also recommend robust, comprehensive, and regular cybersecurity awareness training to give potential targets the skills to identify and correctly respond to any similar threats, as threat actors will always adapt and hone their tactics.”