China-backed hackers targeted White House journalists before January 6

Published by
Peter Kavinsky

Researchers at cybersecurity company Proofpoint said they have observed the China-backed advanced persistent threat group, TA412, also known as Zirconium, engaging in several reconnaissance phishing campaigns since early last year.

Proofpoint says it witnessed five separate phishing campaigns in January and February 2021 targeting U.S.-based journalists, notably those covering U.S. politics and national security. However, the researchers noted a “very abrupt shift in targeting of reconnaissance phishing” in the days leading up to the January 6 attack on the U.S. Capitol, with the hackers focusing on Washington D.C. and White House correspondents.

The China-backed hackers utilized subject lines pulled from recent U.S. news articles, such as “Jobless Benefits Run Out as Trump Resists Signing Relief Bill,” “US issues Russia threat to China,” and “Trump Call to Georgia Official Might Violate State and Federal Law,” according to the researchers.

Then, months later in August 2021, Zirconium turned its attention to journalists working on cybersecurity, surveillance, and privacy issues with a focus on China. The group resumed its activity in February 2022 following a months-long pause to target U.S.-based media organizations reporting on Russia’s then-anticipated invasion of Ukraine.

Proofpoint observed another China-backed threat group, known as TA459, targeting journalists and media personnel in late April 2022 with malware that, if opened, gave the attackers a backdoor to a victim’s machine. This campaign used a potentially compromised Pakistani government email address to send the emails and looked to entice victims with a lure on foreign policy in Afghanistan.

The researchers said it has seen a “sustained effort” by advanced threat groups around the world targeting or leveraging journalists, and found similar cyber-operations launched by state-sponsored hackers in North Korea, Turkey and Iran.

The North Korean-aligned TA404 hacking group, better known as Lazarus, was also active in targeting American journalists. The group, which was recently linked to the $100 million Harmony bridge theft, is said to have targeted a media organization with job opportunity-themed phishing after it published an article critical of North Korean leader Kim Jong-un. While Proofpoint did not see follow-up emails, its researchers note that the attack shares indicators of compromise with a North Korean campaign observed by Google threat researchers earlier this year.

In Turkey, a threat actor that Proofpoint tracks at TA482 and associates with the Turkish government was observed engaging in credential harvesting campaigns that targeted the social media accounts of mostly U.S.-based journalists and media organizations. The researchers also report that TA453, another hacking group that is believed to support the Iran’s Islamic Revolutionary Guard Corps intelligence collection efforts, is masquerading as journalists before deploying credential harvesting malware.

Proofpoint said that while targeting journalists and media organizations is not novel, those operating in the media space should assess their level of risk. “If you report on China or North Korea or associated threat actors, you may become part of their collection requirements in the future,” the researchers warn.

Source: TechCrunch

Peter Kavinsky

Peter Kavinsky is the Executive Editor at

Published by
Peter Kavinsky

Recent Posts

  • News

2022 North Carolina High School Football Scores

Click Here to Watch this High School Football Live Online for Free! Recent 2022 North…

9 seconds ago
  • News

Flood of the century: filled the air and queues for bread. Read the report from Prague shortly before the disaster Serie

<!----> tte special 20 years since the floodsCollection of links from Lidovch noviny, reports, personal…

1 min ago
  • News

Energy Crisis: “If a coal-fired power plant has to keep going, so be it”

Tuehat is the air in Herne? “Almost everywhere,” says Denise Herter. She lives in the…

5 mins ago
  • News

Russians fired from their territory eight communities in Sumy and Chernihiv . regions

the army of the Russian Federation continues to shell the areas of the Sumy and…

6 mins ago
  • News

The singing teacher rated the main hits of the summer: what is the secret of Shaman’s voice and the super popularity of Asti’s new song

Anna Asti's track "Bar" has been at the top of the charts all summerA picture:…

10 mins ago
  • News

Pellegrini announces Bartra’s move to Trabzonspor | Sports

Betis manager, Chilean Manuel Pellegrini, revealed this Sunday that defender Marc Bartra "decided to leave"…

12 mins ago