The CYFIRMA Industries Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the telecommunications & media industry, presenting key trends and statistics in an engaging infographic format.
Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the Telecommunications & Media industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the telecommunications & media industry.
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.
CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.
For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.
OBSERVED ATTACK CAMPAIGNS
Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors. Both nation-state and financially motivated.
Each attack campaign may target multiple organizations across various countries.
Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.
Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.
PHISHING
Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.
Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.
RANSOMWARE
Our data on victims in this report is directly collected from respective ransomware blogs, though some blogs may lack detailed victim information beyond names or domains, impacting victimology accuracy during bulk data processing.
In some cases, there are multiple companies that share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was actually compromised. In such a case, we count the country of the company’s HQ.
During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.
Data related to counts of victims per ransomware group and respective dates are 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.
Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.
Telecommunications & Media organizations including marketing featured in 8 out of the 10 observed campaigns, which is a presence in 80% of campaigns.
This 90 days snapshot includes only the last 4 days of December. Focusing on the last 3 months we can see a sharp spike in January and then decline to no relevant campaigns observed in March.
We observe an interesting combination of Chinese threat actors, such as Leviathan, with a strong focus on the Middle East. Additionally, we have detected the presence of Iranian APT US17IRGCorp (APT34) and the well-known North Korean Lazarus Group.
Recorded victims of observed attack campaigns span 36 different countries, with Japan, India and the US, having the highest number of victims. Notable are Middle Eastern countries as growing targets, and persistent presence in South and Southeast Asia.
Attack campaigns focused primarily on web applications, operating systems and cloud services, among others.
Risk Level Indicator: High
In the past 90 days, Telecommunications & Media organizations were present in 80% of the observed campaigns, marking a slight increase from 78% in the previous period. The overall number of campaigns also rose from 9 to 10.
Various communication technologies are of significant strategic interest to nation-states and retain a high-risk factor due to the sophisticated nature of nation-state-sponsored threat actors.
Data indicates ongoing activity from multiple Chinese nation-state APTs, including APT41 (tracked as MISSION2025 by CYFIRMA), Mustang Panda, and Leviathan. Additionally, Iranian APT US17IRGCorp (APT34) and the notorious North Korean Lazarus Group were also observed.
The most targeted regions are Japan, India, and the US, with the UK reflecting the geopolitical interests of the aforementioned threat actors. Moreover, there is a noticeable and increasing presence in the Middle East and APAC regions, indicating a widening scope of cyber operations beyond traditional target countries.
Web applications remain the primary target across various industries, followed by operating systems and various cloud services.
Over the past 3 months, CYFIRMA’s telemetry recorded 36,078 phishing campaigns out of a total of 347,474 that impersonated the Telecommunications & Media industry organizations.
Combined categories of Social Networking, Telecommunications and Gaming amount to 10.38% of all observed phishing campaigns.
In total, we have observed 79 impersonated brands. Most impersonated brands are popular social media platforms. However, gaming brands like Garena or Steam platform also gained significant volumes. Out of 79 different brands, the most frequent are regional telco service providers.
The majority of the campaigns originated from the US, followed by the Netherlands and Germany.
Risk Level Indicator: High
The Telecommunications & Media sector has long been a preferred target for phishing attacks. Internet Service Providers (ISPs) are particularly attractive, especially in regions where major providers dominate the market. Additionally, various social media platforms are common targets for phishing, with the takeover of social media accounts becoming a primary objective.
We are also witnessing a steady increase in gaming-related impersonations, driven by the growing popularity of gaming across different age groups. Particularly, the Garena platform, highly favoured in Southeast Asia, has emerged as a prominent phishing lure in the region. Furthermore, the gaming platform Steam has been growing in popularity as a Command & Control (C2) infrastructure for distributing malicious payloads.
The United States stands out significantly as the most frequent country of origin for these attacks, accounting for 64% of cases, followed by the Netherlands and Germany. This is closely linked to the robust digital infrastructure in these countries, particularly in the US, and the availability of compromised systems used within botnets and as proxies.
In the past 90 days, CYFIRMA has identified 62 verified ransomware victims within the Telecommunications & Media industry sectors. This accounts for 5.9% of the overall total of 1,054 ransomware incidents during the same period.
December includes only the last 4 days. Focusing on the last 3 months, we’ve observed a consistent number of victims. Similarly, in the preceding 90-day period, the number of victims remained steady, ranging between 20 to 23 each month.
A breakdown of monthly activity offers insights into the activity of individual gangs. For instance, ALPHV recorded the highest number of victims in January, while Ransomhub recorded all their victims in this industry in March.
In total 22 out of 50 active groups recorded Telecommunications & Media organization victims in the past 90 days. The top 5 are responsible for half of them.
Comparing the industry victims to the total numbers recorded, we can see for example, the most active group BlackBasta has 9 out of 60 (15%) victims in the Telecommunications & Media industry, implying a focus on this industry.
The geographic distribution heatmap underscores the widespread impact of ransomware, highlighting the countries where victims in this industry have been recorded.
In total 25 countries recorded ransomware victims with the US alone accounting for ~52% of all victims with identified geography.
Listing consolidated sectors falling under the telecommunications & media industry umbrella shows a wide variety of sectors, including many niches. Among these, Telecommunication, Marketing, and Advertising sectors are notably affected, registering the highest number of victims..
Risk Level Indicator: Medium
The Telecommunications & Media industry retains moderate ransomware risk from the previous 90-day period. Consistency for the combined past 180 days is remarkable with 19-23 recorded victims per month. The overall share of victims however rose from 4.5% to 5.9%.
Among the 50 groups recording victims in the past 90 days, BlackBasta, LockBit3 and Play recorded the highest numbers, collectively representing 39% of all victims in this industry. Particularly, BlackBasta demonstrates a heightened interest with 15% of all victims attributed to the Telecommunications & Media industry.
Ransomware incidents targeting this industry have been reported in 25 different countries, with the USA representing 52% of cases. Other notable countries include Mexico (3 victims), Belgium, Germany, Malaysia, and Spain, each recording 2 victims. Notably, incidents are widely dispersed, with single victims reported across 19 additional countries.
Analysis of sectors within the Telecommunications & Media industry reveals that Telecommunication devices and services, as well as Marketing and Advertising organizations, are prominently affected, registering the highest number of victims.
For a comprehensive, up-to-date global ransomware tracking report on a monthly basis, please refer to our new monthly “Tracking Ransomware” series here.
In the external threat landscape of the Telecommunications & Media industry, we observe a medium to high risk across monitored categories.
APT Campaigns continue to pose significant risks, with Telecommunications & Media organizations present in 80% of the observed campaigns. Notably, multiple Chinese nation-state APTs, alongside Iranian and North Korean groups, demonstrate ongoing activity, with a notable expansion of operations into regions like the Middle East and APAC.
Phishing attacks targeting this sector remain prevalent, with a focus on Internet Service Providers and social media platforms. The emergence of gaming-related impersonations add to the complexity of threats, particularly in Southeast Asia. The United States stands out as a significant origin of these attacks, driven by its robust digital infrastructure.
Despite moderate risk levels, ransomware incidents targeting the industry are consistent, with notable groups such as BlackBasta, LockBit3, and Play recording the highest numbers of victims. The USA remains the most affected country, while 23 other countries were affected. Sectors such as Telecommunication devices and services, Marketing, and Advertising are prominently targeted.