China‑Linked Hackers Conduct Phishing Campaigns Targeting Journalists and Activists
What Happened – Researchers at the Citizen Lab, in partnership with the ICIJ, uncovered two extensive phishing operations—codenamed GLITTER CARP and SEQUIN CARP—run by freelance actors linked to the Chinese government. Over a nine‑month period more than 100 malicious domains were used to lure journalists, diaspora activists (Tibet, Taiwan, Hong Kong, Uyghur) and ICIJ staff into divulging credentials.
Why It Matters for TPRM –
- State‑aligned actors are outsourcing transnational repression to low‑cost contractors, expanding the attack surface for third‑party vendors that host or process media‑related data.
- Credential‑stealing phishing can lead to downstream supply‑chain compromises (e.g., email hijacking, credential reuse on partner services).
- The campaigns demonstrate a “plausible‑deniability” model that makes attribution and legal response more difficult for organizations.
Who Is Affected – Media & journalism organizations, NGOs supporting diaspora communities, research institutes, and any third‑party service providers that host email or collaboration platforms for these groups.
Recommended Actions –
- Review all third‑party email and collaboration services for phishing‑resilience controls (DMARC, SPF, DKIM).
- Conduct credential‑reuse assessments for staff who handle sensitive communications.
- Implement targeted phishing awareness training for journalists, activists and their support vendors.
- Verify that any cloud or SaaS providers used by affected parties have robust incident‑response and logging for credential‑theft attempts.
Technical Notes – The attacks leveraged over 100 malicious domains, spoofed Google security alerts, and used WhatsApp‑initiated outreach to deliver credential‑harvesting pages. No specific CVEs were cited; the vector was social engineering (phishing). Source: The Record