In the days before the January 6, 2021, insurrection, Chinese hackers sent out a flurry of malicious emails to prominent White House correspondents and other journalists at major US news outlets in an apparent intelligence collection effort, US cybersecurity firm Proofpoint said Thursday.
As Chinese hackers scrambled to ascertain whether there would be a peaceful transfer of power in the US, they tried to break into the email accounts of high-profile US journalists, who can be softer targets for hackers than officials on US government networks.
The newly revealed hacking campaign shows just how valuable a target journalists can be to intelligence services in search of clues about US policy. To try to lure them, the attackers wrote email subject lines about then-President Donald Trump’s attempts to overturn the 2020 election, pandemic relief legislation and other enticing issues.
It’s unclear how successful the hacking campaign was – Proofpoint said it blocked the malicious emails that it found. But more journalists need to be aware of the issue because the number of capable hacking groups targeting journalists is “unprecedented,” said Ryan Kalember, Proofpoint’s executive vice president for cyber strategy. “And it’s only likely to increase.”
Proofpoint attributed the Chinese hacking efforts to a group that the UK government has linked with China’s civilian intelligence agency, the Ministry of State Security.
CNN has requested comment from the Chinese Embassy in Washington, DC. Beijing routinely denies hacking allegations and has repeatedly accused the US of engaging in cyber attacks against China.
Journalists are perennial targets for cyber espionage because they regularly interact with US government officials, whistleblowers and critics of authoritarian regimes – information that foreign intelligence services look to exploit. And breaching the computer network of a major newsroom could offer the hackers a foothold for a long-running intelligence collection effort.
Cybersecurity vigilance is all the more necessary for journalists, experts say, as the US prepares for midterm elections this fall and foreign actors may try to use media outlets to sow discord or spread disinformation about voting – as Russian operatives did in the 2016 presidential election.
Newsrooms should “take the time to review [hacking] incidents affecting others in your industry,” advised Runa Sandvik, the former senior director for information security at The New York Times. “Have a plan in place. Think about the potential outcomes if a reporter’s email or social media account is compromised.”
Politically astute hackers
US intelligence agencies singled out Russia and China for trying to hack journalists in their most recent annual threat assessment, published in March.
Many academics and reporters who focus on China and Russia have accepted that cyber-espionage comes with the territory.
“We’re so attuned to this, and in some cases numb to this,” said one reporter who covers China for a US news outlet, citing a string of suspicious emails.
“It’s my assumption that I’ve previously been hacked,” added the reporter, who spoke on the condition of anonymity so as not to attract additional online attention.
But the list of government and non-government entities that have either impersonated or targeted journalists online is long.
Iranian hackers, for example, last year posed as representatives of the Guardian, a British news outlet, and Fox as part of an attempt to break into the computer networks of defense contractors and academics, respectively, according to the data from Proofpoint.
The impersonation scheme showed a strong grasp of US political dynamics, Kalember said.
“If they’re going after a target that’s likely to engage with more liberal-leaning content, they’ll impersonate the Guardian,” Kalember told CNN. “If they’re doing that on the right-wing side, they’ll impersonate Fox News.”
The public may only learn if cyber-espionage actors breached a news organization when the hack is big enough to make the news. And the disclosure that intelligence-seeking hackers compromised networks can raise uncomfortable questions for newsrooms, such as their ability to protect sources and whistleblowers.
News Corp, which owns the Wall Street Journal and Dow Jones, in February disclosed a “persistent cyberattack” that appeared to be an espionage operation. The hacking campaign began a year earlier and targeted dozens of Wall Street Journal journalists who covered China-related issues, sources familiar told CNN at the time.
News Corp has hired a law firm to determine if any of the data accessed by the hackers included personally identifiable information that would require the company to notify regulators or affected parties, a person familiar with the matter told CNN. Affected News Corp journalists will be offered the opportunity to review the law firm’s findings to see if any data was related to newsgathering or sources, the person said.
News Corp spokesperson James Kennedy told CNN this week that the company continues “to conduct analysis and remediation work” related to the incident.
There have not been any interruptions to News Corp’s business operations due to the hacking incident “and the attack activity was contained [and has not recurred],” Kennedy said in an email.
Some national news outlets have in recent years invested in internal cybersecurity teams to detect and remediate threats. Local newspapers and digital startups often don’t have that luxury.
Tech firms like Google, Meta and Apple offer cybersecurity protections for journalists and other at-risk groups. But there needs to be more of a proactive effort to connect journalists – and the executives at media companies making decisions on resources spending – with those tools, according to Sandvik, founder of Granitt, a firm that offers cybersecurity protections for journalists.
After all, she said, journalists need to be able to safely navigate malicious websites and other shady corners of the internet as part of their investigative work.
“[I]f there’s one thing that journalists need to do it’s to be able to click on links from strangers and open attachments that they receive from people that they don’t know,” Sandvik said.