“Targeting the media sector also lowers the risk of failure or discovery to an APT actor than going after other, more hardened targets of interest, such as government entities.”
After this spate of campaigns, the actor then paused its activity until Feb. 9, 2022, when researchers identified a renewed surge of campaigns that occurred over a period of ten days, which indicated a desire to collect data on U.S.-based media organizations reporting on U.S. and European engagement in the Russia-Ukraine war.
The North Korea-aligned TA404, also known as Lazarus, was also seen targeting an unnamed U.S.-based media organization in early 2022 with phishing emails that leveraged job opportunity lures, after the organization published an article critical of North Korean leader Kim Jong Un. The reconnaissance phishing campaign used customized URLs with landing pages that impersonated branded job posting sites.
“If a victim interacted with the URL, which contained a unique target ID, the server resolving the domain would have received confirmation that the email was delivered, and the intended target had interacted with it,” said researchers. “This request also provides identifying information about the computer, or device, allowing the host to keep track of the intended target.”
Researchers said they observed shared indicators of compromise between this attack and the “Operation Dream Job” campaign that was disclosed on March 24 by the Google Threat Analysis Group (though journalism and media were not listed by Google TAG for Operation Dream Job’s targeted sectors).
Threat actors have also posed as well-known media organizations and journalists in order to target organizations that they interact with. Iran-aligned threat actor TA457 delivered malware to public relations teams for companies located in the U.S., Israel and Saudi Arabia since late 2021, for instance. In March, the threat actor sent an email with the subject line “Iran Cyber War,” which contained a URL ultimately delivering a remote access trojan that used DNS tunneling to a hardcoded domain. Another Iran-aligned actor, TA456 (also known as Tortoiseshell) was also observed sending newsletters purporting to be from media organizations like Fox News and the Guardian to various targets.
Despite the continued targeting of journalists and other high-risk victims by APTs, tech companies are also taking steps to offer protections against these types of attacks. Apple recently announced a set of security capabilities for iOS 16 called Lockdown Mode, which is meant specifically for journalists, and political dissidents, and will severely restrict the functionality of iPhones when it’s enabled. Meanwhile, Google in June applied its Safe Browsing protection feature to more than 30 domains linked to several hack-for-hire operations that were being used to target journalists.
“The varied approaches by APT actors—using web beacons for reconnaissance, credential harvesting, and sending malware to gain a foothold in a recipient’s network—means those operating in the media space need to stay vigilant,” said Proofpoint researchers. For individual journalists, “assessing one’s personal level of risk can give an individual a good sense of the odds they will end up as a target.”