Researchers at cybersecurity firm Proofpoint stated they’ve noticed the China-backed superior persistent menace group, TA412, also called Zirconium, partaking in a number of reconnaissance phishing campaigns since early final 12 months.
Proofpoint says it witnessed 5 separate phishing campaigns in January and February 2021 focusing on U.S.-based journalists, notably these overlaying U.S. politics and nationwide safety. However, the researchers famous a “very abrupt shift in targeting of reconnaissance phishing” within the days main as much as the January 6 assault on the U.S. Capitol, with the hackers specializing in Washington D.C. and White House correspondents.
The China-backed hackers utilized topic traces pulled from latest U.S. news articles, similar to “Jobless Benefits Run Out as Trump Resists Signing Relief Bill,” “US issues Russia threat to China,” and “Trump Call to Georgia Official Might Violate State and Federal Law,” in line with the researchers.
Then, months later in August 2021, Zirconium turned its consideration to journalists engaged on cybersecurity, surveillance, and privateness points with a deal with China. The group resumed its exercise in February 2022 following a months-long pause to focus on U.S.-based media organizations reporting on Russia’s then-anticipated invasion of Ukraine.
Proofpoint noticed one other China-backed menace group, often known as TA459, focusing on journalists and media personnel in late April 2022 with malware that, if opened, gave the attackers a backdoor to a sufferer’s machine. This marketing campaign used a doubtlessly compromised Pakistani authorities e mail deal with to ship the emails and regarded to entice victims with a lure on international coverage in Afghanistan.
The researchers stated it has seen a “sustained effort” by superior menace teams all over the world focusing on or leveraging journalists, and located related cyber-operations launched by state-sponsored hackers in North Korea, Turkey and Iran.
The North Korean-aligned TA404 hacking group, higher often known as Lazarus, was additionally energetic in focusing on American journalists. The group, which was lately linked to the $100 million Harmony bridge theft, is alleged to have focused a media group with job opportunity-themed phishing after it revealed an article crucial of North Korean chief Kim Jong-un. While Proofpoint didn’t see follow-up emails, its researchers notice that the assault shares indicators of compromise with a North Korean marketing campaign observed by Google threat researchers earlier this 12 months.
In Turkey, a menace actor that Proofpoint tracks at TA482 and associates with the Turkish authorities was noticed partaking in credential harvesting campaigns that focused the social media accounts of principally U.S.-based journalists and media organizations. The researchers additionally report that TA453, one other hacking group that’s believed to assist the Iran’s Islamic Revolutionary Guard Corps intelligence assortment efforts, is masquerading as journalists earlier than deploying credential harvesting malware.
Proofpoint stated that whereas focusing on journalists and media organizations will not be novel, these working within the media area ought to assess their stage of danger. “If you report on China or North Korea or associated threat actors, you may become part of their collection requirements in the future,” the researchers warn.