China-backed hackers targeted White House journalists before January 6

Researchers at cybersecurity company Proofpoint said they have observed the China-backed advanced persistent threat group, TA412, also known as Zirconium, engaging in several reconnaissance phishing campaigns since early last year.

Proofpoint says it witnessed five separate phishing campaigns in January and February 2021 targeting U.S.-based journalists, notably those covering U.S. politics and national security. However, the researchers noted a “very abrupt shift in targeting of reconnaissance phishing” in the days leading up to the January 6 attack on the U.S. Capitol, with the hackers focusing on Washington, D.C. and White House correspondents.

The China-backed hackers utilized subject lines pulled from recent U.S. news articles, such as “Jobless Benefits Run Out as Trump Resists Signing Relief Bill,” “US issues Russia threat to China” and “Trump Call to Georgia Official Might Violate State and Federal Law,” according to the researchers.

Then, months later in August 2021, Zirconium turned its attention to journalists working on cybersecurity, surveillance and privacy issues with a focus on China. The group resumed its activity in February 2022 following a months-long pause to target U.S.-based media organizations reporting on Russia’s then-anticipated invasion of Ukraine.

Proofpoint observed another China-backed threat group, known as TA459, targeting journalists and media personnel in late April 2022 with malware that, if opened, gave the attackers a backdoor to a victim’s machine. This campaign used a potentially compromised Pakistani government email address to send the emails and looked to entice victims with a lure on foreign policy in Afghanistan.

The researchers said it has seen a “sustained effort” by advanced threat groups around the world targeting or leveraging journalists, and found similar cyber-operations launched by state-sponsored hackers in North Korea, Turkey and Iran.

The North Korean-aligned TA404 hacking group, better known as Lazarus, was also active in targeting American journalists. The group, which was recently linked to the $100 million Harmony bridge theft, is said to have targeted a media organization with job opportunity-themed phishing after it published an article critical of North Korean leader Kim Jong-un. While Proofpoint did not see follow-up emails, its researchers note that the attack shares indicators of compromise with a North Korean campaign observed by Google threat researchers earlier this year.

In Turkey, a threat actor that Proofpoint tracks at TA482 and associates with the Turkish government was observed engaging in credential harvesting campaigns that targeted the social media accounts of mostly U.S.-based journalists and media organizations. The researchers also report that TA453, another hacking group that is believed to support Iran’s Islamic Revolutionary Guard Corps intelligence collection efforts, is masquerading as journalists before deploying credential harvesting malware.

Proofpoint said that while targeting journalists and media organizations is not novel, those operating in the media space should assess their level of risk. “If you report on China or North Korea or associated threat actors, you may become part of their collection requirements in the future,” the researchers warn.