APT organizations that are allegedly affiliated with China, North Korea, Iran, and Turkey are described in detail by researchers in a Proofpoint report released on Thursday. Attacks started in early 2021 and are still happening, according to researchers.
Targeted phishing attacks are linked to several threat actors who have independently focused on acquiring journalist credentials and sensitive data as well as tracking their locations.
Targeting journalist
Proofpoint monitored the activities of the APT group TA412 also known as Zirconium, which attacked journalists based in the US. The nation-state hackers implanted a hyperlinked invisible item within an email body by using phishing emails that contained web beacons such as tracking pixels, tracking beacons, and web bugs.
Journalists based in the US who were being targeted were investigating matters of domestic politics and national security and writing about subjects that favored Beijing.
- By February 2022, Zirconium had resumed its operations against journalists using the same tactics, with a particular emphasis on those who were reporting the Russia-Ukraine conflict.
- Proofpoint discovered another Chinese APT organization known as TA459 in April 2022 that was targeting journalists with RTF files that, when viewed, released a copy of the Chinoxy malware. These hackers specifically targeted journalists covering Afghan foreign affairs.
- Early in 2022, the TA404 group, also known as Lazarus, targeted a media company with a base in the United States. As lures, the attackers utilized phishing messages with job offers.
- Finally, Turkish threat actors identified as TA482 planned campaigns to harvest credentials from journalists' social media accounts.
Not all hackers, however, are motivated to work hard to breach journalist data. This strategy has mostly been used by Iranian actors, like TA453 or Charming Kitten, who had sent emails to academics and Middle East policy experts while pretending to be reporters.
Finally, Proofpoint draws attention to the activities of Iranian hackers TA457, who initiated media-targeting efforts every 2 to 3 weeks between September 2021 and March 2022.
It's also essential to understand the wide attack surface—all the various web channels used for information and news sharing—that an APT attacker can exploit. Finally, exercising caution and confirming an email's identity or source can stop an APT campaign in its early stages.