Search our Knowledgebase


STATE ACTORS: Proofpoint identifies sustained APT attacks targeting Journalists & Media

STATE ACTORS: Proofpoint identifies sustained APT attacks targeting Journalists & Media
Report Syndicated By: Iain Fraser/CyberPR - Gibraltar

Above the Fold and in Your Inbox: Tracing State-Aligned Activity Targeting Journalists, Media

Journalists and media organizations suffer from many of the same threats as everyone else. Between threat actors wanting to steal credentials to resell or to utilize compromised hosts for brokered initial access to spread ransomware, among other threats, this sector is no stranger to the dangers of the threat landscape. Advanced persistent threat (APT) actors, however, look to those in the field of media for different purposes; ones that could have far-reaching impacts.

Journalists and media organizations are well sought-after targets with Proofpoint researchers observing APT actors, specifically those that are state-sponsored or state-aligned, routinely masquerading as or targeting journalists and media organizations because of the unique access and information they can provide. The media sector and those that work within it can open doors that others cannot. A well-timed, successful attack on a journalist’s email account could provide insights into sensitive, budding stories and source identification. 

A compromised account could be used to spread disinformation or pro-state propaganda, provide disinformation during times of war or pandemic, or be used to influence a politically charged atmosphere. Most commonly, phishing attacks targeting journalists are used for espionage or to gain key insights into the inner workings of another government, company, or other area of state-designated import.

Proofpoint data since early 2021 shows a sustained effort by APT actors worldwide attempting to target or leverage journalists and media personas in a variety of campaigns, including those well-timed to sensitive political events in the United States. Some campaigns have targeted the media for a competitive intelligence edge while others have targeted journalists immediately following their coverage painting a regime in a poor light or as a means to spread disinformation or propaganda. For the purposes of this report, we focus on the activities of a handful of APT actors assessed to be aligned with the state interests of China, North Korea, Iran, and Turkey.

Targeting Journalists’ Work Email Accounts

As observed in Proofpoint data, targeting journalists’ work email accounts is by far the most seen locus of attack used by APT actors against this target set. It is important to note that journalists are communicating with external, foreign, and often semi-anonymous parties to gather information. This outreach increases the risk of phishing since journalists, often by necessity, communicate with unknown recipients more so than the average user. Verifying or gaining access to such accounts can be an entry point for threat actors for later stage attacks on a media organization’s network or to gain access to desired information.


Since early 2021, the APT actor tracked by Proofpoint as TA412, known also as Zirconium based on public reporting by Microsoft about a phishing reconnaissance team within this larger APT threat actor designation, has engaged in numerous reconnaissance phishing campaigns targeting US-based journalists. TA412, which is believed to be aligned with the Chinese state interest and to have strategic espionage objectives, has favoured using malicious emails containing web beacons in these campaigns. This is a technique consistently used by the threat actor since at least 2016, however, it was likely in use for years prior. Web beacons, which are commonly referred to as tracking pixels, tracking beacons, and web bugs, embed a hyperlinked non-visible object within the body of an email that, when enabled, attempts to retrieve a benign image file from an actor-controlled server. Learn More /...

Cybersecurity Journalist

Post a Comment

* Please Don't Spam Here. All the Comments are Reviewed by Admin.

Top Post Ad

Microsoft365 for Business

Below Post Ad

Get 10 for £10 at New Scientist now