Massive phishing campaign linked to North Korean threat actors targets multiple foreign ministries and think tanks

• The domain used for the cyber espionage is hosted on the IP 157.7.184[.]15.
• The domain has several subdomains that appear to be designed to impersonate email providers like Yahoo, Outlook, and Google Services.

A new instance of a phishing campaign that leverages a fake login page for French Ministry for Europe and Foreign Affairs (MEAE) has been found targeting foreign ministries of three different countries. Apart from ministries, four research-oriented organizations, five email service providers and United States-based two think tanks are also affected in the campaign.

How does the campaign operate?

The campaign was first discovered by Anomali Threat Research Team on August 9, 2019. The team found that the threat actors used a web page impersonating the French Ministry for Europe and Foreign Affairs (MEAE) to trick its victims. The fake web page ‘portalis.diplomatie.gouv.fr.doc-view[.]work’ looked the same as the legitimate site ‘diplomatie.gouv.fr’.

Researchers noted that if an official from any of the 12 agencies working for the MEAE is able to login to the portal, then it is possible that all twelve agencies are potential victims. This includes:

• Agence Française de Développement (AFD)
• Agency for French Education Abroad (AEFE)
• Agricultural Research Centre for International Development (CIRAD)
• Atout France
• Business France
• Campus France and France Médias Monde
• Canal France International (CFI)
• Expertise France
• France Volontaires
• Institut Français
• Research Institute for Development (IRD)

Worth noting

The domain used for the cyber espionage is hosted on the IP 157.7.184[.]15 and has several subdomains that appear to be designed to impersonate email providers like Yahoo, Outlook, and Google Services. ‌ ‌Further analysis, highlights that the IP address is hosted by the Asia Pacific Network Information Centre (APNIC).

“There are multiple unrelated domains hosted on the same IP address because the IP address is shared. The IP is based in Japan and registered under the Japan Network Information Centre located in Tokyo,” added the researchers.

Other targets

Anomali researchers also came across a malicious subdomain “securemail.stanford.doc-view[.]work” to mimic Stanford University’s Secure Email service - designed for faculty and staff who need to use email to send moderate or high risk data. The same domain also included five other fraudulent subdomains spoofing several institutions which include:

• Congressional Research Service, a United States-based think tank;
• Ministry of Foreign and European Affairs of the Slovak Republic;
• Ministry of Foreign Affairs - Unknown country;
• Royal United Services Institute (RUSI), a United Kingdom-based think tank;
• South African Department of International Relations and Cooperation;
• United Nations delegation.

Conclusion

The identified IP address 157.7.184[.]15 overlaps in infrastructure related to a recent North Korean campaign called ‘Smoke Screen’. The ‘Smoke Screen’ reportedly used domain ‘bigwnet[.]com to distribute the Kimsuky Babyshark network trojan.