Chinese hackers targeted US journalists ahead of the Capitol riots

China abruptly refocused its phishing campaigns on White House correspondents and Washington DC-based journalists immediately before the attack on the US Capitol Building on 6 January 2021.

Chinese-linked advanced persistent threat (APT) actor Zirconium, also known as TA412, carried out several phishing campaigns aimed at breaching US-based journalists covering US politics and national security.

Researchers at cybersecurity firm Proofpoint claim that Zirconium has engaged in numerous reconnaissance phishing campaigns, favoring malicious emails that contain web beacons, also called 'tracking pixels.'

Web beacons allow threat actors to gather reconnaissance and plan more targeted phishing attacks.

Interestingly, researchers discovered that at the start of 2021, days before the US Capitol Building attacks, Zirconium swiftly refocused on Washington-based correspondents.

Journalists were targeted with phishing emails where subject lines were pasted from recent news articles. Web beacons were hidden in the body of the messages. If targeted journalists downloaded the image, hackers would receive information such as the victim's IP address, email address, and whether the account is active.

Hackers targeting US-based journalists prior to Capitol riots
Sample of a web beacon reconnaissance email used by TA412. Image by Proofpoint.

Recurring threat

TA412 went into hibernation for almost six years, returning to haunt media representatives in August 2021. According to Proofpoint, this time, Chinese hackers set their sights on journalists working on cybersecurity, surveillance, and privacy topics, focusing on China.

"Those targeted appeared to have written extensively on social media privacy issues and Chinese disinformation campaigns, signaling an interest by the Chinese state in media narratives that could push a negative global opinion or perception of China," reads the report.

The focus on journalists that cover China was followed by another months-long hiatus. Zirconium's attention refocused back on the press once the Kremlin started amassing its troops in preparation for the invasion of Ukraine.

Starting early February, Beijing targeted US-based media organizations and contributors who generally wrote about the US and European engagement in the anticipated Russia-Ukraine war.

Later Chinese efforts included phishing campaigns equipped with Chinoxy malware that is used as a backdoor to gain access to a victim's device. The targeted entity was responsible for reporting on the Russia-Ukraine conflict.

Proofpoint researchers also noted that North Korea, Iran, and Turkey, to some extent, also carried out targeted campaigns against US-based journalists.

"[…] the knowledge and access that a journalist or news outlet can provide is unique in the public space. Targeting the media sector also lowers the risk of failure or discovery to an APT actor than going after other, more hardened targets of interest, such as government entities," reads the report.

Relentless Beijing

A cluster of China-linked threat activity has been observed to target Russian organizations, researchers at SentinelLabs claim.

The group known as Mustang Panda has targeted Russian organizations since the beginning of the war in Ukraine, while a novel hacker group dubbed 'Space Pirates' penetrated Russia's space tech industry.

According to a recent report, attackers use a phishing email to deliver Remote Access Trojans (RATs) via infected Microsoft Office documents. Threat actors use Royal Road builder to drop Bisonal backdoor. Both pieces of software are often used by China-linked hackers, suggesting Beijing was behind the attacks.

"While the overlap of publicly reported actor names inevitably muddies the picture, it remains clear that the Chinese intelligence apparatus is targeting a wide range of Russian-linked organizations," reads the report.

More from Cybernews:

Adware campaign steals Google users’ search engine data

Russia takes “coercive” measures against Twitch

Microsoft uncovered exploit for macOS sandbox escape bug

Threat actors impersonate Crowdstrike to extort data and deploy ransomware

Tamagotchi generation: are you ready to raise virtual babies in the metaverse?

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked