Cyber Incident Victim: Slovak Ministry of Foreign and European Affairs
Date:
Aug 2019
Location:
Slovakia
Summary
A North Korean-linked hacking group conducted a phishing campaign targeting the Slovak Ministry of Foreign and European Affairs and other entities focused on North Korea's nuclear program and international sanctions. Attackers deployed malicious websites impersonating legitimate login portals, including those of diplomatic agencies, academic institutions, and research organizations, to harvest credentials for espionage purposes. The operation used infrastructure tied to the Kimsuky threat group, which has historical connections to North Korean military interests. Researchers identified overlapping command-and-control servers with previously documented campaigns targeting Western diplomatic and security stakeholders. While no breaches were confirmed, the phishing sites aimed to compromise accounts of officials involved in non-proliferation discussions. Additional targets included French diplomatic entities, Stanford University research centers, and international think tanks analyzing regional security issues.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In August 2019, researchers from threat intelligence firm Anomali identified a dormant phishing campaign targeting organizations linked to North Korea’s nuclear program and international sanctions enforcement. The operation involved malicious websites impersonating legitimate login portals for entities including the Ministry of Foreign and European Affairs of the Slovak Republic, France’s Ministry for Europe and Foreign Affairs, Stanford University, and several think tanks. Attackers registered domains mimicking these institutions’ web services to harvest credentials from diplomats and researchers. Anomali discovered the infrastructure on August 9, 2019, when analyzing a fraudulent French foreign ministry portal that contained a subdomain targeting multiple French government agencies. Technical analysis revealed all malicious domains shared a single IP address and command-and-control server previously associated with the Kimsuky threat group, which multiple security firms have linked to North Korean military interests. The Slovak foreign ministry’s inclusion aligned with the campaign’s focus on entities engaged with North Korean disarmament issues, though no successful breaches of any targeted organizations were confirmed.
Anomali’s investigation determined the attackers reused infrastructure tied to historical Kimsuky operations, including domains openly reported as North Korean. The campaign overlapped with the BabyShark malware operation previously attributed to Kimsuky, which targeted U.S. institutions discussing denuclearization. Researchers found additional phishing pages impersonating Stanford University’s secure email system, South Africa’s foreign ministry, the UK’s Royal United Services Institute, and media outlets like Gizmodo. Most domains were inactive by mid-August 2019 but had been registered earlier that year, suggesting potential future use. Anomali followed standard disclosure protocols to notify affected organizations and submitted all malicious sites to Google Safebrowsing and Microsoft for blacklisting. External researchers verified the technical findings but cautioned against definitive attribution to North Korea despite infrastructure overlaps with known operations. The campaign demonstrated persistent targeting of diplomatic and research entities focused on Northeast Asian security issues through credential-harvesting tactics.