Penelope Iroko Table of Contents
Russian hackers target journalists in a credential phishing campaign linked to APT28, according to Reporters Without Borders. The operation sought email passwords from RSF staff, partners, and journalists. Investigators say the goal was account compromise, disruption, and intimidation of media defenders.
Authorities and private researchers have long tied APT28 to Russia’s GRU. The group is known for spear phishing, credential harvesting, and information operations against civil society.
RSF’s disclosure highlights intensifying risks for newsrooms and NGOs, echoing recent warnings about persistent state-aligned phishing.
Russian hackers target journalists: What You Need to Know
- RSF links credential theft attempts to APT28, with lures impersonating trusted senders and directing victims to fake login pages.
These tools can help reduce phishing and credential theft risk:
- Bitdefender: Endpoint protection for malware and exploit attempts.
- 1Password: Password manager and phishing resistant passkeys.
- IDrive: Encrypted cloud backup for rapid recovery.
- EasyDMARC: DMARC, DKIM, SPF to curb domain spoofing.
- Tenable: Exposure management to reduce attack surface.
- Tresorit: End to end encrypted file sharing.
- Optery: Data removal that limits social engineering risk.
- Passpack: Team password manager with granular access controls.
Inside the APT28 phishing campaign
Russian hackers target journalists with emails that spoof trusted senders and route clicks to counterfeit login portals. RSF says the operation focused on capturing usernames and passwords for follow-on account takeovers and network access.
The tradecraft matches APT28’s documented tactics, including spear phishing and credential harvesting.
The lures relied on urgency, brand impersonation, and lookalike domains that mimic legitimate services. While RSF withheld full technical indicators, the nonprofit attributed the activity to APT28 based on overlaps with prior operations.
The disclosure arrives as civil society groups report a surge in targeted phishing and surveillance attempts. For practical guidance, see this explainer on how to avoid phishing attacks and this overview of brand impersonation phishing scams.
Who was targeted and why it matters
Russian hackers target journalists and press freedom groups to access sensitive communications and sources. RSF says the phishing concentrated on email accounts used by staff, partner organizations, and reporters.
Email credential theft is often the first step toward surveillance, data theft, and disruption of media work.
The risk extends beyond a single nonprofit. Russian hackers target journalists to undermine credibility and safety, and to sap resources through repeated response efforts even when compromises fail.
Attribution and a familiar playbook
Russian hackers target journalists using techniques seen across APT28 phishing attacks over many years. Public reporting from governments and vendors links the group to the GRU.
Recent CISA advisories describe APT28 tradecraft and exploitation of public-facing technologies, including Microsoft Outlook, consistent with the tactics observed here.
Readers assessing phishing-resistant workflows can review passkeys and vault sharing in 1Password’s latest release.
Defensive measures RSF encourages
RSF urges organizations to verify senders, avoid untrusted links, enable multi-factor authentication, and report suspicious messages. Recommended steps include:
- Adopt phishing resistant MFA for email and critical services.
- Use password managers with unique credentials and passkeys.
- Implement DMARC, DKIM, and SPF to limit spoofing attempts.
- Provide regular security awareness training and simulations.
- Establish rapid reporting and incident response workflows.
- Bitdefender: Block malware from phishing attachments and drive by sites.
- 1Password: Strong unique passwords and passkeys for every account.
- EasyDMARC: Reduce spoofing and protect domain reputation.
- IDrive: Versioned backups for recovery from account takeovers.
- Tenable: Discover exposures before attackers exploit them.
- Tresorit: Secure file sharing for sensitive investigations.
Implications for press freedom and cybersecurity
Public attribution helps potential targets act faster. When Russian hackers target journalists and NGOs, early warnings can drive rapid password resets, takedowns of malicious domains, and coordinated awareness campaigns.
Naming APT28 phishing attacks also strengthens partnerships between defenders across borders.
Persistent campaigns carry costs. Russian hackers target journalists with repeated social engineering that drains budgets and time, even when attempts fail.
Adversaries may still harvest open source intelligence to refine future lures, increasing the pressure on understaffed security teams.
Conclusion
Russian hackers target journalists through credential theft and social engineering rather than zero day exploits. RSF’s alert underscores the need for basic controls that blunt these tactics.
Organizations should prioritize MFA, password managers, phishing resistant passkeys, and domain authentication. Clear reporting processes and regular training improve detection and reduce dwell time during the next wave of APT28 phishing attacks.
The Reporters Without Borders cyberattack warning reinforces a simple message. Stay vigilant, patch systems, monitor for anomalies, and rehearse response playbooks to keep coverage flowing under pressure.
Questions Worth Answering
Who is APT28, also known as Fancy Bear?
A Russian state linked threat group long associated with the GRU and known for phishing, espionage, and influence operations.
What did RSF report about the incident?
RSF detailed targeted phishing intended to steal email credentials from staff, partners, and journalists, consistent with APT28 phishing attacks.
Was there confirmation of a breach at RSF?
RSF publicized the attempts and raised awareness. It did not share broader impact details beyond the phishing activity.
How do the lures typically capture credentials?
They impersonate trusted senders, create urgency, and route victims to fake login pages that record usernames and passwords.
Why do Russian hackers target journalists?
They seek access to sources and communications, disrupt reporting, and gather intelligence that supports information operations.
How can organizations reduce phishing risk?
Use MFA, password managers, verified links, and continuous training. See tips on avoiding phishing.
Is this part of a larger global trend?
Yes. Media and NGOs face sustained phishing and credential theft by state aligned actors targeting civil society.
About Reporters Without Borders
Reporters Without Borders is a global nonprofit that defends press freedom and supports journalists at risk. The organization operates in more than 130 countries.
RSF monitors threats, provides emergency assistance, and publishes the World Press Freedom Index that tracks global press freedom trends.
Learn more about its mission and alerts at RSF’s official website.
