Foreign-based cybercriminals target U.S. journalists and media companies

Bad actors, presumed to be state-sponsored, are deploying phishing campaigns, malware and false identities to mine intelligence


Cybercrime is a universal threat for anyone digitally exposed to the internet today. But news media organizations and journalists, in particular, are increasingly the target of cybercriminals, including state-sponsored ones.

Ransomware is just one cyberwarfare weapon to shut down systems and hold businesses hostage. But cybersecurity technology company Proofpoint Inc. — based in Sunnyvale, California — discovered that state-sponsored “Advanced Persistent Threat Actors,” or “APTs,” are targeting journalists in other ways, too.

“Journalists and media organizations are well sought-after targets with Proofpoint researchers observing APT actors, specifically those that are state-sponsored or state-aligned, routinely masquerading as or targeting journalists and media organizations because of the unique access and information they can provide,” Proofpoint authors explained in the July 14 publication, “Above the Fold and in Your Inbox: Tracing State Aligned Activity Targeting Journalists, Media.”

The report was authored by Proofpoint’s Threat Research Team and Crista Giering, Joshua Miller and Michael Raggi. They compiled and analyzed data from 2021 and 2022, noting several ways state-sponsored APTs are targeting U.S. media members: phishing and credentials harvesting, malware and good old-fashioned subterfuge — posing as fellow journalists in foreign countries.

In the first two months of 2021, for example, Proofpoint tracked five incidents in which a China-based ABT targeted journalists working on politics or national security beats, the report explained. The bad actors simply used email, with timely, relevant messages about current affairs and events — other news stories, seemingly — to inspire the recipients to open them, thereby opening a digital door for the hackers. 

In April 2022, another Chinese APT group targeted media companies with emails containing a Royal RTF attachment. When opened, it would install and execute “Chinoxy malware,” the authors explained.

Another strategy is targeting journalists’ social media accounts, which can have some real-world repercussions.

“For example,” the authors explain, “in 2013, a threat actor took over the official Associated Press Twitter account and posted a tweet claiming that President Barack Obama had been injured in an attack on the White House. The stock market dropped more than 100 points in roughly two minutes following the tweet. Two years later, in 2015, a threat actor compromised about 130 Twitter accounts of influential individuals and tricked some of their followers into transferring more than $100,000 in Bitcoin to attacker-controlled accounts.”

China isn’t the only nation allegedly deploying hackers targeting journalists. Proofpoint says it has evidence, too, of APTs coming out of North Korea, Iran and Turkey.

“Since early 2022, Proofpoint researchers have observed a prolific threat actor, (Turkey) tracked as TA482, regularly engaging in credential harvesting campaigns that target the social media accounts of mostly U.S.-based journalists and media organizations. … Ongoing campaigns have narrowed in on the Twitter credentials of any individuals that write for media publications. This includes journalists from well-known news outlets to those writing for an academic institution and everything in between. The malicious emails are typically Twitter security themed and attempt to grab a recipient's attention with subjects alerting the user to a suspicious or new login location.”

Russia-backed APTs were missing from the report, but that doesn't mean they’re not players. But Russia was focused on other matters, after all.

Sherrod DeGrippo is Proofpoint’s vice president, threat research and detection.

“In recent months covering the publication period, Proofpoint observed a lower level of Russian journalist-targeting abroad. … This is consistent with publicized accounts of Russian authorities focusing on controlling the domestic media narrative, compared to the narrative abroad, specifically regarding the outbreak of the Russian invasion in Ukraine,” Proofpoint's Vice President, Threat Research and Detection Sherrod DeGrippo suggested to E&P by way of an email.

The best defense against APTs is information — preparing journalists and other members of the news organization to recognize and report potential phishing, harvesting or other possibly nefarious digital communications.

Asked about the threat level ransomware presents to media companies, DeGripp remarked, “Proofpoint routinely blocks millions of malicious emails containing malware, credential phish and malicious URLs, including those that may result in ransomware incidents. At this time, we have not looked at journalists and ransomware specifically.”

“Targeting journalists and media organizations is not novel. … From intentions to gather sensitive information to attempts to manipulate public perceptions, the knowledge and access that a journalist or news outlet can provide is unique in the public space,” the Proofpoint authors concluded.

Gretchen A. Peck is a contributing editor to Editor & Publisher. She's reported for E&P since 2010 and welcomes comments at


No comments on this item Please log in to comment by clicking here