Threat actors are posing as journalists of famous newspapers to comply targets into doing acts they want, like clicking on links or downloading some special software – which is most likely malware. The campaign has been going since early last year and is expected to continue as well.
Exploiting Exclusive Data Access of Journalists
Over money, most Advanced Persistent Threats (APTs) target people or networks with the aim of reconnaissance. So it’s usual that they follow several techniques to achieve their aim, with the help of their respective State. In an ongoing campaign detailed by Proofpoint researchers, several APTs are posing as journalists to lure media houses and other journalists into downloading malware – so as to obtain important information that only they have access to. For example, Zirconium (TA412) – a Chinese APT, has been targeting American journalists since last year to obtain sensitive information by sending emails with embedded trackers. These trackers inform the hacker whenever the message is opened, so he can grab the reader’s IP, from which they can find his location and ISP details. There’s another Chinese APT named TA459 that was seen dropping Chinoxy malware through RTF files, targeting mostly the media involved in Afghanistan’s foreign policy. And there are North Korean hackers tracked as TA404, who are targeting media personnel with fake job postings as lures. There are Turkish APTs tracked as TA482 performing credential harvesting campaigns to steal the social media accounts of journalists. Finally, there are Iranian hackers tracked as TA453 (Charming Kitten) sending emails with malicious links to academics and Middle East policy experts. With more public exposure than general people, journalists are more potential to fall victims to those campaigns, warns researchers.