Suspected North Korean Cyber Espionage Campaign Targets Multiple Foreign Ministries and Think Tanks

Suspected North Korean Cyber Espionage Campaign Targets Multiple Foreign Ministries and Think Tanks

August 21, 2019 | Anomali Labs

revised on August 22, 2019

Anomali researchers recently observed a site masquerading as a login page for a diplomatic portal linked to the French government. Further analysis of the threat actor’s infrastructure uncovered a broader phishing campaign targeting three different countries’ Ministry of Foreign Affairs agencies. Also targeted were four research-oriented organisations including: Stanford University, the Royal United Services Institute (RUSI), a United Kingdom-based think tank, Congressional Research Service (CRS), a United States-based think tank, and five different email service providers. There is an overlap of infrastructure with known North Korean actors, including the same domain and shared hosting provider. Because of the links between one of the victims and their work on North Korean sanctions, we expect to see malicious actors continue to target the international staff involved in a similar official capacity.

Prior to the release of this blog post, we have submitted the phishing sites to Google Safebrowsing and Microsoft for blacklist consideration.

Targeting of French Ministry of Europe and Foreign Affairs

On August 9, 2019, The Anomali Threat Research Team discovered a web page impersonating the French Ministry for Europe and Foreign Affairs (MEAE) online portal. The malicious host “portalis.diplomatie.gouv.fr.doc-view[.]work”[1] bears a strong resemblance to the legitimate site “diplomatie.gouv.fr”. When navigating to the suspicious subdomain, users are displayed with a phishing site mimicking the MEAE portal. According to the legitimate site, access is restricted to “MEAE agents”. The legitimate website for “France Diplomatie”, describes MEAE agents as potentially working for one of 12 agencies for the “Ministry for Europe and Foreign Affairs”. If an official from any of these agencies is able to login to the portal, then it is possible that all twelve of these agencies are potential victims, which includes:

  • Agence Française de Développement (AFD)
  • Agency for French Education Abroad (AEFE)
  • Agricultural Research Centre for International Development (CIRAD)
  • Atout France
  • Business France
  • Campus France and France Médias Monde
  • Canal France International (CFI)
  • Expertise France
  • France Volontaires
  • Institut Français
  • Research Institute for Development (IRD)

Faux login page for the portal of the Ministry of Europe and Foreign Affairs (MEAE)
Figure 1 - Faux login page for the portal of the Ministry of Europe and Foreign Affairs (MEAE)

The screenshot above shows the webpage designed to look like the MEAE portal. The screenshot shows a session timeout popup window for the victim who has attempted to login. In this instance, although not visibly clear, the page source shows the intended victim. This person was most likely targeted in a phishing campaign.

Page source code for MEAE portal and victim email address
Figure 2 - Page source code for MEAE portal and victim email address

The email in the page source code is for an employee of the target organisation. According to delegefrance[.]org, the email address in the page source code belongs to a senior official assigned to the French Mission Team to the United Nations in New York. Moreover, this French diplomat works in the “Disarmament, Non-Proliferation, Sanctions committees: Iran, North Korea, 1st Committee”.[2]

Threat Infrastructure Analysis

The malicious URL “portalis.diplomatie.gouv.fr.doc-view[.]work” is mimicking a diplomatic portal on the malicious domain “doc-view[.]work”. This domain is hosted on the IP 157.7.184[.]15 and has several subdomains that appear to be designed to impersonate email providers. The IP address also appears to have several similar domains and URLs that share some patterns in naming conventions.

Similar named domains hosted on the same IP address
Figure 3 - Similar named domains hosted on the same IP address

The IP address 157.7.184[.]15 is hosted by the Asia Pacific Network Information Centre (APNIC). There are multiple unrelated domains hosted on the same IP address because the IP address is shared. The IP is based in Japan and registered under the Japan Network Information Centre located in Tokyo.

The most recently used domains on this IP address that share the same naming conventions are the following four domains:

Domain 1 - doc-view[.]work

The domain doc-view[.]work is hosted on IP 157.7.184[.]15. The domain has 32 subdomains.[3] Most of the subdomains appear to be spoofing email service providers Yahoo, Outlook, Ymail and Google services. Both the domain and some of the subdomains appear to have been set up to look like they will allow the victim to access documents; the use of Microsoft OneDrive for example.

An overview of high profile phishing sites on domain doc-view[.]work
Figure 4 - An overview of high profile phishing sites on domain doc-view[.]work

Figure 4 above depicts the most interesting subdomains created for the domain doc-view[.]work to include two subdomains set up to impersonate the MEAE login. We also identified a subdomain “securemail.stanford.doc-view[.]work” created by the malicious actor to mimic Stanford University’s Secure Email service.[4] According to Stanford University IT Department’s website, the Secure Email service is designed for faculty and staff who need to use email to send moderate or high risk data. Of note, Stanford University hosts the Centre for International Security and Cooperation (CISAC) and the Asia Pacific Research Centre (APARC) - both of which are part of the Freeman Spogli Institute for International Studies. These research centres host a number of talks and deliver research on a variety of international issues including ongoing developments in North Korea.

Screenshot of Stanford University’s Secure Email-themed phishing site securemail.stanford.doc-view[.]work
Figure 5 - Screenshot of Stanford University’s Secure Email-themed phishing site securemail.stanford.doc-view[.]work

The submitted URL in URLScan.io, an online service for scanning and analyzing websites, shows the potential victim in the screenshot available, confirms the target institute as being Stanford University. A search in the Stanford Directory did not reveal anyone associated with this email address at Stanford University.

When investigating SSL/TLS certificates issued for the domain doc-view[.]work, there were five other fraudulent subdomains spoofing two think tanks, two foreign government agencies, and a United Nations organization.

  • Congressional Research Service, a United States-based think tank
  • Ministry of Foreign and European Affairs of the Slovak Republic
  • Ministry of Foreign Affairs - Unknown country
  • Royal United Services Institute (RUSI), a United Kingdom-based think tank
  • South African Department of International Relations and Cooperation
  • United Nations delegation

Domain 2. app-support[.]work

The domain app-support[.]work is hosted on the same IP address 157.7.184[.]15. The domain has a number of subdomains that look like they are attempting to impersonate popular email providers such as Yahoo and Gmail. The use of the domain “app-support” suggests the campaigns associated with this domain may be targeting smart-phones or Apple devices, because of the use of the word “app”.

An overview of phishing sites associated with the domain app-support[.]work
Figure 6 - An overview of phishing sites associated with the domain app-support[.]work

High profile targets in the above diagram include:

  • Sina - A Chinese technology company

Domain 3. web-line[.]work

The domain web-line[.]work is hosted on the IP 157.7.184[.]15. The domain has a number of subdomains that appear to be mimicking well-known online services such as Google’s Gmail and Microsoft’s OneDrive. Interestingly, the domain owner also created a seemingly identical MEAE-themed subdomain “portalis.diplomatie.gouv.web-line[.]work” that presumably attempts to mimic the MEAE portal. At the time of this report, the website was unresponsive; therefore, we were unable to obtain a screenshot of the page or analyze the site’s source code. Due to the domain name and infrastructure similarities of the original discovery, we judge with moderate confidence that the second subdomain was most likely created to target MEAE using the same techniques discussed above.

An overview of phishing sites associated with the domain web-line[.]work
Figure 7 - An overview of phishing sites associated with the domain web-line[.]work

In Figure 7, we highlight several high profile organizations targeted by the attackers. The following list reflects the most interesting targets in the overview of subdomains:

  • Mail.fed.be - possible attempt to target the Federal government of Belgium
  • Ministry of Europe and Foreign Affairs - France (MEAE)
  • Ministry of Foreign Affairs (MOFA) - unknown country
  • Sina - a Chinese technology company
  • The Department of International Relations and Cooperation - The foreign ministry of the South African government

Domain 4. sub-state[.]work

When investigating passive DNS results on the same IP address 157.7.184[.]15, the domain “sub-state[.]work” was discovered. This domain has ten subdomains that follow the same naming conventions as the ones mentioned already.

An overview of phishing sites hosted on domain sub-state[.]work
Figure 8 - An overview of phishing sites hosted on domain sub-state[.]work

In Figure 8 it is possible to see subdomains impersonating the following organisations:

  • Asahi News organisation - one of five major newspapers in Japan
  • Ministry of Foreign Affairs - South Korea

Who’s Behind These Attacks?

The IP address 157.7.184[.]15 is shared and therefore home to both legitimate and malicious activity. However, there is an overlap in infrastructure in a recent North Korean campaign called “Smoke Screen” reported on by ESTSecurity in April 2019[5]. The domain “bigwnet[.]com” was reportedly used as a command and control (C2) for the Kimsuky Babyshark network trojan, which is also hosted on the same IP address. Kimsuky Babyshark network trojan is associated with North Korea.

According to DomainWatch, an online service that collects domain registrant information, there is a registrant email address that appears to link a number of the aforementioned domains: ringken1983[at]gmail.com.[6]

Whois information for the domain doc-view[.]work
Figure 9 - Whois information for the domain doc-view[.]work

DomainWatch also shows that the following domains are also registered with the same email address:

Domains registered with the email address ringken1983[at]gmail[.]com
Figure 10 - Domains registered with the email address ringken1983[at]gmail[.]com

There are two other registrant emails identified for two related domains; “web-line[.]work” and “drog-service[.]com”.

Domains registered with email address dragon1988[at]india[.]com
Figure 11 - Domains registered with email address dragon1988[at]india[.]com

Domains registered with email address okonoki_masao[at]yahoo[.]co.jp
Figure 12 - Domains registered with email address okonoki_masao[at]yahoo[.]co.jp

The domain “Dauum[.]net” appears to be mimicking the South Korean web portal, Daum, which is an email provider among other services. In January 2019, North Korean actors were reported to have been targeting the Daum, Naver, and kakaoTalk services (all popular South Korean services), registering a number of similar-looking domains.[7]

Conclusion

Many of the organisations targeted in this campaign offer insight for strategic direction and goals of a particular country (South Korea for example). The targeting of foreign ministries for four different countries, and the persistent attempt to masquerade as email or online document services is most likely to gain access to the victim’s sensitive communications and/or information. The purpose of this campaign is likely to gain access to the information, but it is difficult to know exactly what the end goal is for the adversary. After gaining access to the internal email service of an organisation, it is possible to compromise the organisation in many other ways. Whilst researching this campaign, many of the domains were not active, although most were registered this year. It might be that the adversary has been waiting to use the infrastructure for a future attack. There is an overlap with North Korean indicators in this research, and similar targeting to previous campaigns already reported.

Endnotes

[1] URLScan, “portalis.diplomatie.gouv.web-line[.]work,” urlscan.io, accessed August 9, 2019, submitted July 23, 2019, https://urlscan.io/result/7e347bdc-8e0e-485b-93b2-6df2b919d768/.

[2] The French Mission Team, “Permanent mission of France to the United Nations in New York,” Ministry of Europe and Foerign Affairs, accessed August 12, 2019, https://onu.delegfrance.org/The-French-Mission-Team-8786.

[3] Censys, “doc-view[.]work,” Censys Certificate Search, accessed August 9, 2019, https://censys.io/certificates?q=%22doc-view.work%22.

[4] Stanford University, “Email:Secure Email: Email for Moderate and High Risk Data,” accessed August 14, 2019, published November 8, 2018, https://uit.stanford.edu/service/secureemail.

[5] Alyac, “Kimsuky’s APT Campaign ‘Smoke Screen’ Revealed for Korea and US,” ESTsecurity, accessed August 14, 2019, published April 17, 2019, https://blog.alyac.co.kr/2243.

[6] DomainWatch, “doc-view[.]work,” DomainWatch WhoIs, accessed August 12, 2019, https://domainwat.ch/whois/doc-view.work.

[7] BRI, “#1267555: Konni Campaign Targetting Mobiles - Additional IOCs,” BRI Alert, accessed August 14, 2019, published July 15, 2019, https://brica.de/alerts/alert/public/1267555/konni-campaign-targetting-mobiles-additional-iocs/.

Appendix A - Indicators of Compromise

The table below represents the malicious infrastructure and basic description of each indicator of compromise observed in the phishing campaign:

Indicators of CompromiseDescription
157.7.184[.]15Shared hosting server with multiple suspicious and phishing sites
doc-view[.]workMalicious domain
web-line[.]workMalicious domain
app-support[.]workMalicious domain
login-confirm[.]workMalicious domain
member-service[.]workMalicious domain
short-line[.]workMalicious domain
alone-service[.]workMalicious domain
minner[.]workMalicious domain
com-main[.]workMalicious domain
sub-state[.]workMalicious domain
check-up[.]workMalicious domain
portalis.diplomatie.gouv.web-line[.]workPhishing site mimicking the Ministry of Europe and Foriegn Affairs (MEAE) portal
account.googlie.com.doc-view[.]workPhishing site
crsreports.congress.doc-view[.]workPhishing site mimicking the Congressional Research Service
delegate.int.doc-view[.]workPhishing site likely to be mimicking the United Nations delegate login
drive.google.doc-view[.]workPhishing site
drive.storage.com.doc-view[.]workPhishing site
drives.google.doc-view[.]workPhishing site
hostmaster.doc-view[.]workPhishing site
login-history.doc-view[.]workPhishing site
login-onedrive.doc-view[.]workPhishing site
login.live.doc-view[.]workPhishing site
login.outlook.doc-view[.]workPhishing site
login.yahoo-sec.doc-view[.]workPhishing site
login.yahoo.doc-view[.]workPhishing site
login.ymail.doc-view[.]workPhishing site
mail.doc-view[.]workPhishing site
mail.mofa.gov.doc-view[.]workPhishing site mimicking the Ministry of Foriegn Affairs (MOFA) - unknown country
mail.preview.doc-view[.]workPhishing site
mail.sec.doc-view[.]workPhishing site
mail.view.doc-view[.]workPhishing site
mail.xmailgateway.doc-view[.]workPhishing site
myaccount.google.doc-view[.]workPhishing site
myaccount.protect.doc-view[.]workPhishing site
myaccount.setting.doc-view[.]workPhishing site
mzv.sk.doc-view[.]workPhishing site mimicking the Ministry of Foreign and European Affairs of the Slovak Republic
one-drive.storage.doc-view[.]workPhishing site
onedrive.com.doc-view[.]workPhishing site
portalis.diplomatie.gouv.doc-view[.]workPhishing site mimicking the Ministry of Europe and Foriegn Affairs (MEAE) portal
portalis.diplomatie.gouv.fr.doc-view[.]workPhishing site mimicking the Ministry of Europe and Foriegn Affairs (MEAE) portal
rusi.org.doc-view[.]workPhishing site mimicking the UK think tank RUSI
securemail.stanford.doc-view[.]workPhishing site mimicking Stanford University
ubmail.dirco.gov.doc-view[.]workPhishing site mimicking the Department of International Relations and Cooperation of the Foreign Ministry of the South African government
www.str8-creative.com.doc-view[.]workPhishing site
rive.storage.com.doc-view[.]workPhishing site
login.yalnoo-sec.doc-view[.]workPhishing site
login.onedrive-storage.doc-view[.]workPhishing site
david.gizmodo.com.doc-view[.]workPhishing site
drive.storage.login-confirm[.]workPhishing site
share.doc.login-confirm[.]workPhishing site
accounts.live.com.member-service[.]workPhishing site
accounts.msn.com.member-service[.]workPhishing site
accounts.outlooks.com.member-service[.]workPhishing site
ccounts.outlooks.com.member-service[.]workPhishing site
edit.accounts.member-service[.]workPhishing site
maii.ocn-accounts.member-service[.]workPhishing site
mail.ocn-accounts.member-service[.]workPhishing site
login.outlook.short-line[.]workPhishing site
1drv.ms.web-line[.]workPhishing site
drive.storage.com.web-line[.]workPhishing site
hostingemail.digitalspace.web-line[.]workPhishing site
login.live.web-line[.]workPhishing site
mail.fed.be.web-line[.]workPhishing site
mail.mofa.gov.web-line[.]workPhishing site
mail.xmailgateway.web-line[.]workPhishing site
portalis.diplomatie.gouv.web-line[.]workPhishing site
ubmail.dirco.gov.web-line[.]workPhishing site
edit-accounts.ntt-ocn.alone-service[.]workPhishing site
login-accounts.yahoojp.minner[.]workPhishing site
login-accounts.yaoojp.minner[.]workPhishing site
login.live.com-main[.]workPhishing site
login.ymail.com-main[.]workPhishing site
mail.mofa.go.kr.sub-state[.]workPhishing site
accounts.ocn-setting.app-support[.]workPhishing site
login-accounts.view.app-support[.]workPhishing site
login.yahoo.app-support[.]workPhishing site
loing-accounts.view.app-support[.]workPhishing site
myaccount.google-monitor.app-support[.]workPhishing site
myaccounts.google-set.app-support[.]workPhishing site
vip-sina.com.cn.app-support[.]workPhishing site
accounts.lives.com.check-up[.]workPhishing site
accounts.msn.com.check-up[.]workPhishing site
accounts.outlookes.check-up[.]workPhishing site
accounts.outlooks.check-up[.]workPhishing site
lh.yahoojp.check-up[.]workPhishing site
mail.ocn-accounts.check-up[.]workPhishing site
ringken1983[at]gmail[.]comAdversary email address used to register domains
dragon1988[at]india[.]comAdversary email address used to register domains
okonoki_masao[at]yahoo[.]co[.]jpAdversary email address used to register domains

For more information, contact Joe Franscella: jfranscella@anomali.com

Anomali Labs
About the Author

Anomali Labs

Get the latest threat intelligence news in your email.