apt-groups-trapping-targets-with-clever-twitter-scheme

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

APT Groups Trapping Targets with Clever Twitter Scheme

According to researchers, state-backed APT groups are trapping their targets by employing social engineering tactics including posing as Twitter employees and journalists.

Proofpoint cybersecurity researchers have released a shocking report on how state-backed hackers employ novel tactics to carry out data breaches and trap their targets. Reportedly, threat actors allegedly affiliated with the Chinese, Iranian, and Turkish governments are posing as Twitter employees and journalists.

Turkish Hackers

As per the report, an Advanced Persistent Threat (APT) group identified as TA482 sends phishing emails to infiltrate the computer systems of their targets (mainly US journalists/media outlets) and obtain sensitive data.

Turkish hackers primarily target journalists to steal their social media accounts. Proofpoint researchers revealed that TA482 used fake Twitter messages in one instance. The victim was notified about a ‘New Login’ attempt in Moscow, Russia, and requested them to click on a URL to change the password. However, those who clicked got their accounts hijacked.

APT Groups Trapping Targets with Clever Twitter Scheme
Phishing email sent by Turkish hackers (Proofpoint)

Iranian Hackers

Iranian hackers were identified as TA453 (aka Cobalt Illusion, also known as Charming Kitten, Phosphorus, APT35, and Newscaster). The group created reporter personas to breach the email accounts of foreign affairs policy experts from the Middle East and academics. They sent emails to their victims, one of which read:

 “My name is Amy Duncan and I’m a senior reporter with Metro newspaper. I would be most grateful if I could have an interview with you.”

The hacker sent multiple follow-up emails and even sent the academic an invitation for a video call containing a link that redirected to a login page.

According to Proofpoint’s blog post, hackers posed as journalists from credible news outlets, such as The Guardian, Fox News, and iNews. Proofpoint researcher explained that TA453 frequently masquerades as journalists to fulfill their malicious objectives and support the Islamic Revolutionary Guard Corps.

APT Groups Trapping Targets with Clever Twitter Scheme
Attack chain of TA457 (Proofpoint)

Chinese Hackers

Chinese hackers’ objectives are mainly espionage-related. Proofpoint noticed TA412, aka Zirconium, to be particularly active in targeting US-based journalists since early 2021. They sent their targets emails containing web beacons or tracking pixels.

The group identified by Proofpoint specializes in stealth campaigns and is skilled enough to tweak the email dangles to lure targets. Another APT group TA459 surfaced in April 2022 and targeted media personnel with emails embedded with a malicious Royal Road RTF attachment, which installed/executed Chinoxy malware when opened.

Why are Journalists Targeted?

Researchers wrote that these tactics are used to succeed in their malicious objectives. Their target is the media sector, mainly because the risk of failure is comparatively low. Regardless of their affiliation, hackers have frequently targeted media organizations and journalists to manipulate public perceptions or collect sensitive data.

“Targeting the media sector also lowers the risk of failure or discovery to an (advanced persistent threat) actor than going after other, more hardened targets of interest, such as government entities.”

Proofpoint

How to Stay Protected?

Proofpoint’s threat research and detection vice president, Sherrod DeGrippo, said that journalists could protect themselves from such attacks if they could evaluate the level of risk.

 “For example, we have seen targeted attacks against academics and foreign policy experts, particularly those working on Middle Eastern foreign affairs, so individuals in this line of work should be particularly cautious,” DeGrippo explained.

Also, journalists must remain cautious when using external email services like ProtonMail or Gmail and must list them on their website to verify the address’s legitimacy.

  1. Irani and Chinese State Hackers Exploiting Log4j Vulnerability
  2. Sim Swapping Crypto Stealing Hackers Arrested by Turkish Police
  3. Mastermind of 2020’s top celebrity Twitter hack sentenced to 3 years
  4. New Twitter phishing scam inspired by Twitter’s latest security response
  5. Hackers used phone phishing on a Twitter employee to access internal tools

Related News

Nearly 500 million WhatsApp User Records Sold Online

Nearly 500 million WhatsApp User Records Sold Online

In what is becoming a rather common trend, a threat actor is claiming to sell 487 million WhatsApp users’ mobile…
How to Create ISO Files from Discs – 3 Best Ways

How to Create ISO Files from Discs – 3 Best Ways

An ISO file is a disk image of an optical disc. It is a single file that contains all the…
All You Need to Know About Emotet in 2022

All You Need to Know About Emotet in 2022

For 6 months, the infamous Emotet botnet has shown almost no activity, and now it’s distributing malicious spam. Let’s dive…