Cyber Incident Victim: Sina Corporation
Date:
Aug 2019
Location:
China
Summary
A North Korean state-aligned hacking group conducted a phishing campaign targeting organizations involved in monitoring or sanctioning North Korea's nuclear activities, including Sina Corporation. The attackers deployed spoofed login portals mimicking legitimate entities to harvest credentials for espionage purposes, leveraging infrastructure previously linked to the Kimsuky threat actor. Researchers identified malicious domains impersonating multiple diplomatic, academic, and research institutions focused on regional security issues, though no confirmed breaches occurred. The operation aimed to compromise accounts of officials engaged in non-proliferation discussions and sanctions enforcement against North Korea.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
Between August 2019 and earlier that year, a phishing campaign targeted entities engaged with North Korean nuclear sanctions and disarmament discussions. Researchers from Anomali identified malicious domains impersonating legitimate login portals for multiple organizations, including the French Ministry for Europe and Foreign Affairs, the Slovak Republic’s foreign ministry, Stanford University, and the Chinese technology company Sina Corporation. These domains were hosted on infrastructure previously linked to the Kimsuky threat group, which cybersecurity firms like Palo Alto Networks and AlienVault associate with North Korean military interests. Attackers designed the phishing pages to harvest credentials from diplomatic personnel, researchers, and officials involved in non-proliferation policy, particularly concerning Iran and North Korea. One fraudulent page mimicked Stanford University’s secure email portal, referencing the transmission of sensitive data, while another impersonated the French foreign ministry’s internal system, targeting a diplomat assigned to U.N. sanctions committees on North Korea. Anomali’s analysis revealed all malicious domains resolved to the same IP address, which overlapped with historical Kimsuky operations, including the BabyShark malware campaign disclosed by Palo Alto in February 2019.
The campaign’s operational timeline showed domains registered throughout 2019, with Anomali detecting the French ministry phishing page on August 9. No confirmed breaches were reported among the targeted organizations, as the operation involved preparatory infrastructure rather than successful intrusions. Anomali notified affected entities through standard disclosure protocols and submitted the malicious sites to Google Safebrowsing and Microsoft for blacklisting. Targets extended beyond government bodies to include academic institutions like Stanford’s Center for Security and Cooperation, think tanks such as the U.K.’s Royal United Services Institute, and media entities via a spoofed Gizmodo link. Sina Corporation, a technology firm, was listed among the impersonated organizations, though specific impacts on its systems were not detailed. Researchers observed most domains were inactive by late August 2019 but assessed they could be repurposed for future attacks. The campaign’s focus on entities monitoring North Korea’s missile program aligned with Pyongyang’s public criticism of U.N. Security Council discussions on its weapons tests earlier that month.