Cyber Incident Victim: French Ministry of Europe and Foreign Affairs
Date:
Aug 2019
Location:
France
Summary
A North Korean-linked hacking group, Kimsuky, conducted a phishing campaign targeting diplomatic entities and research organizations focused on North Korea's nuclear program and international sanctions. The attackers created fraudulent login portals impersonating the French Ministry for Europe and Foreign Affairs, along with institutions including Stanford University and think tanks in the U.K. and Slovakia, aiming to steal credentials for espionage purposes. While no breaches were confirmed, the operation used infrastructure previously associated with North Korean military-aligned actors, with phishing domains hosted on shared servers. Additional targets included government agencies and academic centers analyzing regional security issues related to North Korea, though all identified malicious sites were offline at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In August 2019, researchers from Anomali identified a phishing campaign targeting entities associated with North Korea’s nuclear program and international sanctions enforcement. The operation involved malicious websites impersonating legitimate login portals for the French Ministry for Europe and Foreign Affairs, the Slovak Republic’s Ministry of Foreign and European Affairs, Stanford University, and several think tanks. Attackers registered domains mimicking these organizations to harvest credentials from diplomats, researchers, and officials. Anomali discovered the French Ministry phishing page on August 9, 2019, which contained a subdomain targeting multiple French agencies, including the Agency for French Education Abroad and Business France. Analysis of the page’s source code revealed a focus on a senior French diplomat assigned to a UN sanctions committee overseeing disarmament for Iran and North Korea. Additional fraudulent sites impersonated Stanford University’s secure email portal, Sina (a Chinese tech company), South Africa’s foreign ministry, the UK’s Royal United Services Institute, and the U.S. Congressional Research Service. Researchers linked the infrastructure to the Kimsuky threat group through shared IP addresses and command-and-control servers previously associated with North Korean operations. Most domains were offline by late August 2019, though their recent registration suggested potential future use. Anomali found no evidence of successful breaches but confirmed the creation of phishing pages designed to deceive victims.
The campaign posed risks of credential theft and potential espionage against entities monitoring North Korea’s military activities. Targeted organizations included Stanford’s Center for Security and Cooperation and Asia Pacific Research Center, both engaged in North Korea-related analysis, and the French diplomat involved in UN non-proliferation efforts. Anomali notified affected organizations through standard disclosure protocols and submitted the malicious domains to Google Safebrowsing and Microsoft for blacklisting. External researchers verified the technical findings but cautioned against definitive attribution to North Korea despite infrastructure overlaps with Kimsuky, a group historically linked to Pyongyang. The operation mirrored earlier campaigns like BabyShark, which Palo Alto Networks tied to Kimsuky in February 2019 after observing phishing emails targeting U.S. institutions discussing North Korean denuclearization. North Korea’s state media had criticized France days before the phishing discovery for participating in UN Security Council discussions on missile tests, contextualizing the targeting. No functional compromise of impersonated organizations was confirmed, though the phishing infrastructure’s specificity indicated intent to gather intelligence on sanctions and regional security matters.