Cyber Incident Victim: Congressional Research Service
Date:
Aug 2019
Location:
United States of America
Summary
A North Korean state-aligned hacking group conducted a phishing campaign targeting entities involved in monitoring North Korea's nuclear program and international sanctions. Attackers deployed malicious websites impersonating login portals for multiple foreign ministries, research institutions including Stanford University, and organizations such as the Congressional Research Service, aiming to steal credentials for espionage purposes. Infrastructure analysis linked the operation to the Kimsuky threat group, with domains hosted on shared servers previously associated with North Korean military cyber activity. While no confirmed breaches occurred, the campaign demonstrated persistent efforts to compromise diplomatic and security-focused entities engaged in non-proliferation discussions related to Pyongyang.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In August 2019, researchers from threat intelligence firm Anomali identified a dormant phishing campaign targeting organizations linked to North Korea’s nuclear program and international sanctions enforcement. The campaign involved malicious websites impersonating legitimate login portals for high-value entities, including the French Ministry for Europe and Foreign Affairs, the Slovak Republic’s Ministry of Foreign and European Affairs, Stanford University, the U.K.’s Royal United Services Institute think tank, and the U.S. Congressional Research Service. Attackers registered domains mimicking these institutions’ web services to harvest credentials from diplomats, researchers, and officials. Anomali’s analysis revealed that all fraudulent domains resolved to the same IP address (185.141.63.83) and command-and-control server previously associated with the Kimsuky threat group, which cybersecurity firms like Palo Alto Networks and AlienVault have linked to North Korean military interests. The phishing pages targeted entities with specific North Korea-related focus areas: Stanford’s portals aligned with its Center for Security and Cooperation and Asia Pacific Research Center, while the French Ministry phishing attempt specifically referenced a diplomat working on U.N. sanctions committees for Iran and North Korea disarmament. Other targets included South Africa’s foreign ministry, Chinese tech firm Sina, and a spoofed Gizmodo media link.
Anomali detected the malicious infrastructure on August 9, 2019, noting that most domains were registered in 2019 but inactive at the time of discovery, suggesting preparatory work for future attacks. Technical analysis confirmed the attackers embedded credential harvesting mechanisms within counterfeit login pages, including one masquerading as Stanford’s secure email portal for transmitting sensitive data. Researchers identified no confirmed breaches but verified that attackers replicated institutional branding and login workflows to deceive targets. Prior to public disclosure, Anomali notified all affected organizations through standard channels and submitted phishing domains to Google Safebrowsing and Microsoft for blacklisting. External researchers corroborated Anomali’s technical findings but cautioned against definitive attribution to North Korea despite infrastructure overlaps with Kimsuky’s historical operations, including its use in the 2018 BabyShark malware campaign targeting U.S. institutions discussing North Korean denuclearization. The campaign’s timing coincided with North Korean state media criticism of U.N. Security Council discussions on missile tests, though no direct operational connection was established.