State-backed hackers targeted US-based journalists in widespread spy campaigns: report

State-sponsored hackers from China, North Korea, Iran and Turkey have been regularly spying on and impersonating journalists from various media outlets in an effort to infiltrate their networks and gain access to sensitive information, according to a report released on Thursday by cybersecurity firm Proofpoint. 

The report reveals that government-backed hackers used various tools to target journalists, including sending phishing emails to gain access to reporters’ work emails, social media accounts and networks.

The report also suggested that state-sponsored hackers routinely pose as members of the media because of the “unique access and information they can provide,” to those countries’ governments.

The hackers could potentially use information they obtained from compromised accounts to spread pro-state propaganda and influence “a politically charged atmosphere.”

“A well-timed, successful attack on a journalist’s email account could provide insights into sensitive, budding stories and source identification,” the report said. 

In one of the operations, the report found that since early 2021, Chinese-backed hackers engaged in numerous phishing attacks mainly targeting U.S.-based journalists covering U.S. politics and national security. 

Some of the malicious emails would have subject lines pulled from recent U.S. headlines, including “Trump call to Georgia official might violate state and federal law,” “US issues Russia threat to China,” and “Jobless benefits run out as Trump resists signing relief bill.”

The attacks also appeared to surge during moments that garnered international attention. For instance, the researchers found an increase in phishing attacks against journalists in the days leading up to the Jan. 6 insurrection. 

The report also found similar cyber operations from state-sponsored hackers in Turkey, Iran and North Korea.

In Turkey, for instance, the researchers found that since early 2022, hackers have targeted social media accounts of mostly U.S.-based journalists and media organizations. Specifically, the hackers would attempt to gain access to Twitter credentials of any individual that writes for a media outlet or for an academic institution. 

The researchers also speculated that Turkish-backed hackers may use compromised social media accounts to spread propaganda that favors Turkish President Recep Erdogan.

“It is possible these attacks will ramp up as Turkey’s 2023 parliamentary and presidential elections draw near,” the report said. 

In Iran, the researchers uncovered that hackers would impersonate journalists to gain access to their networks and directly reach out to sources that have expertise in Middle Eastern foreign policy. 

“The threat actor uses these personas to engage in benign conversations with targets, which consist mostly of academics and policy experts working on Middle Eastern foreign affairs,” the report said. 

The researchers concluded their report with a warning to journalists to protect themselves and their sources because these types of attacks are likely to persist as state-sponsored hackers attempt to gather more sensitive information and manipulate public perception. 

“In an era of digital dependency, the media, like the rest of us, is vulnerable to a variety of cyber threats [and] some of the most potentially impactful are those stemming from [state-sponsored] actors,” said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint.