Chinese Hackers Targeted U.S. Reporters Days Before Jan. 6: Report

A Chinese hacking group that's believed to have "strategic espionage objectives" targeted American journalists and media organizations in the days leading up to the January 6, 2021, riots at the U.S. Capitol, according to a Thursday report from cybersecurity firm Proofpoint.

Proofpoint said its researchers found evidence that an "advanced persistent threat" (APT) actor group from China hit U.S.-based journalists in early 2021 with "numerous reconnaissance phishing campaigns." The firm also stated it uncovered hacking activity against U.S. journalists from APT actors "assessed to be aligned with the state interests" of North Korea, Iran and Turkey.

The Chinese APT actor group was identified by Proofpoint as TA412, also known as Zirconium, which the U.K. government has said is "almost certain" to have links to China's civilian intelligence agency. The hacking group reportedly focused specifically on Washington, D.C., and White House correspondents in the days leading up to the Capitol riot.

Proofpoint said emails from the hackers used subject lines taken from recent U.S. news articles, including "Jobless Benefits Run Out as Trump Resists Signing Relief Bill," "US issues Russia threat to China" and "Trump Call to Georgia Official Might Violate State and Federal Law."

"Those involved in media make for appealing targets given the unique access, information, and insights they can provide on topics of state-designated import," Proofpoint wrote.

A computer screen is seen hacked
A cybersecurity firm said Chinese hackers were targeting journalists in the lead-up to the January 6, 2021, riots at the U.S. Capitol. This undated stock image depicts a computer being hacked. Getty Images

Proofpoint noted that journalists are at a heightened risk of phishing since they often communicate with "external, foreign, and often semi-anonymous parties to gather information." Due to this, gaining access to journalists' accounts "can be an entry point for threat actors for later stage attacks on a media organization's network or to gain access to desired information."

TA412 reportedly used malicious emails containing web beacons in its cyberattacks. Proofpoint explained that web beacons—also referred to as tracking pixels, tracking beacons and web bugs—embed hyperlinked non-visible objects within the body of an email that can track the computer user's activity and access information.

Proofpoint said TA412 has used this hacking method since at least 2016 but it has "evolved" over time, "adjusting lures to best fit the current U.S. political environment and switching to target U.S.-based journalists focused on different areas of interest to the Chinese government."

Proofpoint warned, "The focus on media by APTs is unlikely to ever wane, making it important for journalists to protect themselves, their sources, and the integrity of their information by ensuring they have an accurate threat model and secure themselves appropriately."

Newsweek reached out to the Chinese Embassy in Washington, D.C., for comment.