Security researchers have uncovered a broad phishing campaign targeting the ministry of foreign affairs in at least three countries, as well as a number of research organizations, including Stanford University, the Royal United Services Institute (RUSI), a United Kingdom-based think tank, Congressional Research Service (CRS), a United States-based think tank. The campaign was discovered by Anomali threat researchers who believe that the malicious activities may be tied to North Korean threat actors conducting cyberespionage based on the fact that the infrastructure in use has been previously tied to the recent North Korean campaign called “Smoke Screen” reported on by ESTSecurity in April 2019.

The new campaign was observed at the beginning of August 2019 after the team found a phishing web page impersonating the French Ministry for Europe and Foreign Affairs (MEAE). The fake web page ‘portalis.diplomatie.gouv.fr.doc-view[.]work’ looked the same as the legitimate site ‘diplomatie.gouv.fr’. According to the legitimate site, access is restricted to “MEAE agents”. The legitimate website for “France Diplomatie”, describes MEAE agents as potentially working for one of 12 agencies for the “Ministry for Europe and Foreign Affairs”. Researchers noted that if an official from any of these agencies is able to login to the portal, then it is possible that all twelve of these agencies are potential victims, which includes:

• Agence Française de Développement (AFD)

• Agency for French Education Abroad (AEFE)

• Agricultural Research Centre for International Development (CIRAD)

• Atout France

• Business France

• Campus France and France Médias Monde

• Canal France International (CFI)

• Expertise France

• France Volontaires

• Institut Français

• Research Institute for Development (IRD)

By tricking diplomats and other victims into submitting their credentials to a malicious website the threat actors behind this campaign could then use that information to spy on the affected inbox. While it was not immediately clear who is behind this espionage effort the researchers identified command-and-control server (“bigwnet[.]com”) and the IP address tied to the Kimsuky campaign previously associated with North Korea.

The domain used for the cyber espionage is hosted on the IP 157.7.184[.]15 and has several subdomains that appear to be designed to impersonate email providers like Yahoo, Outlook, Ymail, and Google Services.

“The IP address 157.7.184[.]15 is hosted by the Asia Pacific Network Information Centre (APNIC). There are multiple unrelated domains hosted on the same IP address because the IP address is shared. The IP is based in Japan and registered under the Japan Network Information Centre located in Tokyo,” reads the report.

The researchers also have found a malicious subdomain “securemail.stanford.doc-view[.]work” impersonating Stanford University’s Secure Email service – a service designed for faculty and staff who need to use email to send moderate or high risk data. It is worth noting that Stanford University is also hosts the Center for Security and Cooperation and the Asia Pacific Research Center both of which deliver research on North Korea-related issues among other things.

The same domain also included five other fraudulent subdomains spoofing several institutions, namely:

• Congressional Research Service, a United States-based think tank;

• Ministry of Foreign and European Affairs of the Slovak Republic;

• Ministry of Foreign Affairs - Unknown country;

• Royal United Services Institute (RUSI), a United Kingdom-based think tank;

• South African Department of International Relations and Cooperation;

• United Nations delegation.

“The purpose of this campaign is likely to gain access to the information, but it is difficult to know exactly what the end goal is for the adversary. After gaining access to the internal email service of an organisation, it is possible to compromise the organisation in many other ways. Whilst researching this campaign, many of the domains were not active, although most were registered this year. It might be that the adversary has been waiting to use the infrastructure for a future attack,” concluded the researchers.