Cyber Incident Victim: Royal United Services Institute
Date:
Nov 2018
Location:
United States of America
Summary
A North Korean-linked hacking group, Kimsuky, conducted a phishing campaign targeting organizations involved in monitoring North Korea's nuclear program and sanctions enforcement, including the Royal United Services Institute. Attackers created fraudulent login portals mimicking legitimate websites of multiple entities, such as foreign ministries, academic institutions, and think tanks, to harvest credentials for espionage purposes. The operation used infrastructure previously associated with North Korean military-aligned threat actors, with phishing domains hosted on shared servers. While no breaches were confirmed, the campaign aimed to compromise diplomatic and research accounts related to non-proliferation efforts. Targets included entities focused on regional security issues, with attackers tailoring deceptive pages to specific victims' organizational contexts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In August 2019, researchers from threat intelligence firm Anomali identified a dormant phishing campaign targeting entities engaged with North Korea’s nuclear program and international sanctions enforcement. The operation involved malicious websites impersonating legitimate login portals for multiple organizations, including the French Ministry for Europe and Foreign Affairs, the Slovak Ministry of Foreign and European Affairs, Stanford University, and the UK-based Royal United Services Institute (RUSI). Attackers registered domains designed to mimic these institutions’ web services, aiming to harvest credentials from diplomats, researchers, and officials. Technical analysis revealed the infrastructure overlapped with the Kimsuky threat group, which cybersecurity firms like Palo Alto Networks and AlienVault previously linked to North Korean military interests. The campaign’s targets shared a thematic focus: Stanford’s Center for Security and Cooperation and Asia Pacific Research Center analyzed North Korean security issues, while RUSI contributed to policy discussions on sanctions and non-proliferation. Anomali discovered the phishing network on August 9, 2019, noting that most domains were registered in 2019 but inactive at the time of disclosure, suggesting preparatory work for future attacks. One spoofed French Ministry portal contained code referencing a senior diplomat assigned to a UN sanctions committee overseeing North Korean and Iranian disarmament.
Anomali’s investigation confirmed all malicious domains resolved to a shared IP address and command-and-control server historically tied to Kimsuky operations. The phishing pages displayed varying sophistication—some closely replicated official portals like Stanford’s secure email service, which urged users to submit “moderate or high risk data,” while others, such as a fake Gizmodo link, lacked functional content. Additional targets included South Africa’s foreign ministry, China’s Sina technology company, and the US Congressional Research Service. No evidence confirmed successful breaches, but the campaign’s design indicated intent to compromise accounts for espionage purposes. Anomali followed standard disclosure protocols, notifying affected organizations and submitting domain indicators to Google Safebrowsing and Microsoft for blacklisting. External researchers verified the technical findings but cautioned against definitive attribution to North Korea despite infrastructure overlaps with prior Kimsuky activity. The incident highlighted continued targeting of entities involved in sanctions policy and regional security analysis, aligning with North Korea’s public criticism of UN discussions on its missile tests earlier that month.