Every sector faces phishing. But only a handful are as widely targeted by espionage groups and leveraged by them in lures as the news media.
"Really, there are only three others that are anything like it," said Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint. "One would be diplomacy. Another would be kind of think tanks and other things. And then the third one, weirdly, is higher education."
In every case, those sectors both accrue information that espionage groups would be interested in and keep close contact with additional victims. Journalism is actually responsible for defending three different victim groups — reporters, who might have unique geopolitical intelligence piling up in their inboxes, their sources, and the broad audience of readers.
Journalism's bidirectional role in phishing is up across the board since the beginning of the year, said Kalember, something detailed in a new blog post by Proofpoint running down the recent espionage phishing attacks leveraging or targeting media.
The blog post focuses on the big four cyberespionage nations (China, Iran, North Korea and Russia), swapping Russia for Turkey. While Russia is a notable admission, Kalember notes that their main focus might be elsewhere.
"So much of their tasking is now wrapped up with a hot war," he said.
But that does not mean the hot war is not the focus of other groups' espionage. One Chinese-linked group targeted journalists to gain insight into U.S. plans for the Russia-Ukraine war. China also targeted journalists for similar reasons earlier in the year for information on more domestic chaos.
"Right around Jan. 6, they were just trying to figure out what was going on. If they were successful in compromising the targets that we saw them go after, it might have been genuinely helpful given the amount of leaks sent to White House correspondents who didn't always report every detail they got from the leakers," said Kalember.
A North Korea-linked group targeted journalists critical of the Kim regime in a "petty" attack Kalember likened to Sony Pictures if it had succeeded. The Iranian-linked Charming Kitten group leveraged journalist and newspaper email accounts to access academics and policy experts on Iranian affairs. And a Turkish-linked group tried to takeover journalist social media accounts for indeterminant reasons, which may have included the ability to contact and observe dissident sources.
Media groups panicked last year as the spread of the militarized spyware contractor NSO Group took an international spotlight. But attacks of that complexity should not be the first for media groups looking to protect journalists, readers and sources, said Kalember.
"You don't need [NSO's] Pegasus if you're just looking to access a reporter's inbox," he said.
Instead, he pointed to more basic hygiene news organizations needed to accomplish. News organizations needed to do basic anti-phishing — for which ProofPoint is a vendor. They also needed to take a more active role in hunting down look-alike domains that could be used to mimic their own in phishing attacks, and implement DMARC to prevent outright spoofing.