Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

APT Groups Trapping Targets with Clever Twitter Scheme

According to researchers, state-backed APT groups are trapping their targets by employing social engineering tactics including posing as Twitter employees and journalists.

Proofpoint cybersecurity researchers have released a shocking report on how state-backed hackers employ novel tactics to carry out data breaches and trap their targets. Reportedly, threat actors allegedly affiliated with the Chinese, Iranian, and Turkish governments are posing as Twitter employees and journalists.

Turkish Hackers

As per the report, an Advanced Persistent Threat (APT) group identified as TA482 sends phishing emails to infiltrate the computer systems of their targets (mainly US journalists/media outlets) and obtain sensitive data.

Turkish hackers primarily target journalists to steal their social media accounts. Proofpoint researchers revealed that TA482 used fake Twitter messages in one instance. The victim was notified about a ‘New Login’ attempt in Moscow, Russia, and requested them to click on a URL to change the password. However, those who clicked got their accounts hijacked.

APT Groups Trapping Targets with Clever Twitter Scheme
Phishing email sent by Turkish hackers (Proofpoint)

Iranian Hackers

Iranian hackers were identified as TA453 (aka Cobalt Illusion, also known as Charming Kitten, Phosphorus, APT35, and Newscaster). The group created reporter personas to breach the email accounts of foreign affairs policy experts from the Middle East and academics. They sent emails to their victims, one of which read:

 “My name is Amy Duncan and I’m a senior reporter with Metro newspaper. I would be most grateful if I could have an interview with you.”

The hacker sent multiple follow-up emails and even sent the academic an invitation for a video call containing a link that redirected to a login page.

According to Proofpoint’s blog post, hackers posed as journalists from credible news outlets, such as The Guardian, Fox News, and iNews. Proofpoint researcher explained that TA453 frequently masquerades as journalists to fulfill their malicious objectives and support the Islamic Revolutionary Guard Corps.

APT Groups Trapping Targets with Clever Twitter Scheme
Attack chain of TA457 (Proofpoint)

Chinese Hackers

Chinese hackers’ objectives are mainly espionage-related. Proofpoint noticed TA412, aka Zirconium, to be particularly active in targeting US-based journalists since early 2021. They sent their targets emails containing web beacons or tracking pixels.

The group identified by Proofpoint specializes in stealth campaigns and is skilled enough to tweak the email dangles to lure targets. Another APT group TA459 surfaced in April 2022 and targeted media personnel with emails embedded with a malicious Royal Road RTF attachment, which installed/executed Chinoxy malware when opened.

Why are Journalists Targeted?

Researchers wrote that these tactics are used to succeed in their malicious objectives. Their target is the media sector, mainly because the risk of failure is comparatively low. Regardless of their affiliation, hackers have frequently targeted media organizations and journalists to manipulate public perceptions or collect sensitive data.

“Targeting the media sector also lowers the risk of failure or discovery to an (advanced persistent threat) actor than going after other, more hardened targets of interest, such as government entities.”


How to Stay Protected?

Proofpoint’s threat research and detection vice president, Sherrod DeGrippo, said that journalists could protect themselves from such attacks if they could evaluate the level of risk.

 “For example, we have seen targeted attacks against academics and foreign policy experts, particularly those working on Middle Eastern foreign affairs, so individuals in this line of work should be particularly cautious,” DeGrippo explained.

Also, journalists must remain cautious when using external email services like ProtonMail or Gmail and must list them on their website to verify the address’s legitimacy.

  1. Irani and Chinese State Hackers Exploiting Log4j Vulnerability
  2. Sim Swapping Crypto Stealing Hackers Arrested by Turkish Police
  3. Mastermind of 2020’s top celebrity Twitter hack sentenced to 3 years
  4. New Twitter phishing scam inspired by Twitter’s latest security response
  5. Hackers used phone phishing on a Twitter employee to access internal tools

Related News

Portion of Twitter’s proprietary source code leaked on GitHub

Portion of Twitter’s proprietary source code leaked on GitHub

Reportedly, the source code remained public for several months before being taken down by GitHub. According to a news report…
Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu and more Pwned

Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu and more Pwned

At Pwn2Own 2023, participants were awarded a full bounty (more than $1,000,000) in each round for successful exploits. Pwn2Own, as…
Latitude Financial Data Breach: 14 Million Customers Affected

Latitude Financial Data Breach: 14 Million Customers Affected

The Australian consumer lender, Latitude Financial, has suffered a major cyber attack, leading to a data breach of passport and…