Cyber Incident Victim: Stanford University
Date:
Aug 2019
Location:
United States of America
Summary
A North Korean state-linked hacking group conducted a phishing campaign targeting Stanford University and other entities focused on North Korea's nuclear program and international sanctions. Attackers created fraudulent login portals mimicking the university's secure email service and diplomatic agencies across multiple countries, aiming to harvest credentials for espionage purposes. The operation used infrastructure previously associated with the Kimsuky threat group, which aligns with Pyongyang's military interests. Researchers identified malicious domains impersonating several foreign ministries, think tanks, and research organizations, though no successful breaches were confirmed. The campaign specifically targeted institutions engaged with disarmament discussions and regional security analysis related to North Korea, reflecting persistent cyber-espionage efforts against stakeholders in nuclear non-proliferation matters.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In August 2019, researchers from threat intelligence firm Anomali identified a phishing campaign targeting organizations engaged with North Korea’s nuclear weapons program and international sanctions enforcement. The operation involved malicious websites impersonating legitimate login portals for entities including Stanford University, the French Ministry for Europe and Foreign Affairs, the Slovak Republic’s foreign ministry, the UK’s Royal United Services Institute think tank, and China’s Sina technology company. Attackers registered domains mimicking these institutions’ web services, such as a fraudulent Stanford secure email portal urging users to submit "moderate or high risk data." Anomali’s analysis revealed the infrastructure reused IP addresses and command-and-control servers previously linked to Kimsuky (also known as Thallium), a North Korean-aligned hacking group historically targeting Western diplomatic and national security entities. The phishing pages, designed to harvest credentials, specifically focused on institutions like Stanford’s Center for Security and Cooperation and Asia Pacific Research Center, which analyze North Korean security issues. Other targets included a French diplomat working on UN sanctions committees for Iran and North Korea, South Africa’s foreign ministry, and the Congressional Research Service. Researchers noted the domains were registered in 2019 but mostly dormant, suggesting preparatory work for future attacks.
Anomali disclosed its findings to affected organizations through standard notification procedures prior to public release on August 22, 2019, and submitted the malicious sites to Google Safebrowsing and Microsoft for blacklisting. No evidence indicated successful breaches at any named institutions, as the campaign only involved deploying phishing pages rather than compromising internal systems. The operation coincided with North Korean state media criticizing France and other UN Security Council members for discussing Pyongyang’s missile tests. Technical overlaps with the Kimsuky group’s infrastructure—including reused IP addresses and domains previously attributed to North Korean operations—strengthened analysts’ assessment of the campaign’s origin. Palo Alto Networks’ prior research on the BabyShark malware campaign, which targeted a U.S. university discussing North Korean denuclearization, showed similar thematic alignment with regional security issues. Stanford University representatives did not respond to requests for comment regarding the impersonation of their services. Anomali’s investigation also uncovered a spoofed Gizmodo media link among the phishing domains, though the page was offline during analysis, preventing further assessment of its intent.