Cyber Incident Victim: Department of International Relations and Cooperation
Date:
Aug 2019
Location:
South Africa
Summary
A North Korean-linked hacking group, Kimsuky, conducted a phishing campaign targeting the South African Department of International Relations and Cooperation, among other foreign ministries and research organizations focused on North Korea's nuclear program and international sanctions. The attackers deployed fraudulent login portals mimicking legitimate institutional websites to harvest credentials for espionage purposes. Similar infrastructure targeted entities in France, Slovakia, the U.K., and the U.S., including academic and think-tank organizations analyzing regional security. While the malicious domains were hosted on servers previously associated with North Korean operations, no confirmed breaches were reported, with attackers only establishing phishing landing pages. Researchers noted overlaps with known North Korean military-aligned activity but emphasized caution regarding definitive attribution.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In August 2019, researchers from threat intelligence firm Anomali identified a dormant phishing campaign targeting multiple organizations with interests in North Korea’s nuclear weapons program and international sanctions enforcement. The campaign involved malicious websites impersonating legitimate login portals for entities including the French Ministry for Europe and Foreign Affairs, Slovak Republic’s foreign ministry, Stanford University, and South Africa’s Department of International Relations and Cooperation. Attackers registered domains mimicking these institutions’ web services to harvest credentials from diplomats, researchers, and officials. Anomali determined the infrastructure reused IP addresses and command-and-control servers previously associated with Kimsuky, a North Korean-aligned hacking group also known as Thallium, which cybersecurity firms Palo Alto Networks and AlienVault had linked to Pyongyang. The phishing pages targeted organizations engaged with North Korean disarmament issues, including Stanford’s Center for Security and Cooperation, the French Mission Team to the U.N., and the Royal United Services Institute think tank in the U.K. Researchers identified a specific French diplomat working on U.N. sanctions committees for Iran and North Korea as a likely intended victim.
Anomali discovered the network through an August 9, 2019, analysis of a fake French foreign ministry portal that contained a suspicious subdomain targeting multiple French agencies. Further investigation revealed dozens of malicious domains hosted on a single IP address, including impersonations of Stanford’s secure email service, China’s Sina technology company, and the Congressional Research Service. Most domains were registered in 2019 but inactive when analyzed, suggesting preparatory work for future attacks. Anomali notified affected organizations through standard disclosure protocols and submitted phishing sites to Google Safebrowsing and Microsoft for blacklisting. External researchers verified the technical findings but cautioned against definitive attribution to North Korea despite infrastructure overlaps with known Kimsuky campaigns. Palo Alto Networks had previously documented related activity through the BabyShark malware campaign targeting U.S. institutions discussing North Korean denuclearization. No evidence indicated successful breaches at any named organization, as the operation only involved credential-harvesting page creation rather than confirmed system compromises.