Chinese hackers targeted US reporters before Capitol attack and Russian invasion, report finds
Andrea Peterson July 14, 2022

Chinese hackers targeted US reporters before Capitol attack and Russian invasion, report finds

Chinese hackers targeted US reporters before Capitol attack and Russian invasion, report finds

Chinese-aligned hackers targeted White House correspondents and other U.S. political reporters in the run-up to the January 6, 2021 attack on the U.S. Capitol as well as the Russian invasion of Ukraine, according to a new report from cybersecurity firm Proofpoint. 

The report highlights the cybersecurity risks facing journalists and other members of the news media, who have long been attractive targets for cyberspies.

The threat actor Proofpoint tracks as TA412 carried out a series of phishing attempts targeting U.S.-based journalists since early 2021, according to the report. Researchers believe the attackers are aligned with Chinese government interests. In 2020, Microsoft reported the threat actor, which it dubbed Zirconium, had targeted those connected to the U.S. presidential campaign as well as at think tanks that focused on international relations. 

The findings aren’t the first time China has been linked to attacks on U.S. news media. Suspected Chinese-state affiliated hackers previously breached the networks of The New York Times, The Wall Street Journal, Washington Post, and other outlets. Journalists are often targeted because they handle sensitive information before it becomes public, and their reporting requires maintaining source networks across government and the private sector. 

An example of an email used in the TA412 campaigns. Image: Proofpoint

Access to journalists’ email, or social media accounts themselves, can also be a valuable tool beyond the information they contain. 

“A compromised account could be used to spread disinformation or pro-state propaganda, provide disinformation during times of war or pandemic, or be used to influence a politically charged atmosphere,” the report noted. 

One pivot, then another

The attacks by TA412 involved sending messages with invisible embedded images, also known as web beacons or tracking pixels, to gain potential insight into targets and their networks. 

Between January and February of 2021, Proofpoint identified five campaigns from TA412. The company also observed TA412 pivot in the days leading up to the Capitol attack, focusing on White House correspondents and other Washington, DC-based reporters. Malicious emails sent to targets during that time used subject lines “pulled from recent US news articles,” per the report. 

The group was active again in August 2021, this time targeting journalists who work on cybersecurity and surveillance issues. 

“Those targeted appeared to have written extensively on social media privacy issues and Chinese disinformation campaigns, signaling an interest by the Chinese state in media narratives that could push a negative global opinion or perception of China,” according to the report. 

After another lull, TA412 ramped up activities again on February 9, 2022 — switching gears to target those covering the anticipated Russian invasion of Ukraine. 

Subject lines from that campaign included, per Proofpoint:

New bill aims to prohibit US military aid to Ukraine

US issues Russia threat to China

Macron reveals Putin ‘guarantees’

UK to arm Ukraine with anti-ship missiles against Russia – Kiev’s envoy

US says how Ukraine stand-off can be resolved

UK says invasion ‘highly likely’

White House says door for diplomacy with Russia remains open, but troop buildup is continuing

Proofpoint reported that another Chinese advanced persistent threat group, TA459, targeted journalists with emails containing a malicious attachment that would infect their machines with the Chinoxy malware — allowing the attackers to gain backdoor access to victims’ systems. The same threat actor was previously observed using the same malware in Southeast Asia by researchers at Bitdefender.

The Proofpoint report also outlined other cybersecurity incidents related to journalists involving sophisticated threat actors linked to Turkey, North Korea, and Iran.

Andrea (they/them) is senior policy correspondent at The Record and a longtime cybersecurity journalist who cut their teeth covering technology policy ThinkProgress (RIP), then The Washington Post from 2013 through 2016, before doing deep dive public records investigations at the Project on Government Oversight and American Oversight. Their work has also been published at Slate, Politico, The Daily Beast, Ars Technica, Protocol, and other outlets. Peterson also produces independent creative projects under their Plain Great Productions brand and can generally be found online as kansasalps.