I've been known to dip my toe into the security realm. Indeed, I've not only been to Black Hat (a convention), I've paid employees who spoke there. I mention that 'cause the rest needs to be in context, to have some veracity.
Back in about 2000/2001, scuttlebutt was that the Russian secret service (FSS, used to be the KGB) had used computers and had computerized a bunch of their records. They kept getting hacked. So, rather than invest in improving security, truly a cat and mouse type of game, they reverted to keeping their records on paper.
So, assuming that is true, that might be why the hackers are going after these types of corporations. They can't really go after targets that keep their files on paper and not online.
Also notable is how they're getting away with it. Phishing is just another form of social engineering. It's no different really than calling the help desk claiming to be Bob from accounting and needing a password reset.
