APT groups have been impersonating journalists, infiltrating media organizations, and attempting to turn fake news into “real” news, among other agenda

Various Iranian-aligned threat actors such as Charming Kitten (TA453) and Tortoiseshell (TA456) have been observed by cybersecurity experts to be posing as journalists from publications such as The Guardian, The Sun, Fox News and The Metro.

This is part of a move by Advanced Persistent Threat (APT) groups aligned with China, North Korea, Iran, and Turkey that target journalists to conduct espionage, spread malware, and infiltrate media organizations.

The attacks target also target academics and foreign policy experts worldwide in an effort to gain access to sensitive information. Also:

  • APT group TA412, aligned with China threat actors, has been observed conducting reconnaissance activities just days before the January 2021 attack on the US Capitol building. This same group also resumed targeting in early 2022 with a focus on reporters covering American and European engagements in the Russia-Ukraine war.
  • North Korea’s Lazarus Group (TA404) has also targeted a US media organizations with phishing campaigns promising job opportunities. This attack occurred after one organization published an article critical of North Korean leader Kim Jong Un. 
  • Threat actors aligned with the Turkey have focused their efforts on gaining access to journalists’ social media accounts, with the likely aim of spreading pro-Erdogan propaganda and targeting further contacts.

Researchers from Proofpoint, who disclosed this campaign on journalism, are concerned that a well-timed, successful attack on journalists’ work emails and social media accounts could provide insights into sensitive, budding stories, as well as source identification.

Compromised accounts could then be used to spread disinformation or pro-state propaganda, especially in times of war or pandemic, or be used to influence a politically charged atmosphere. According to the firm, once one account is compromised, hackers and bad actors gain access into the rest of the organization in a domino effect.