French version : 🇫🇷
During its investigations and with the cooperation of multiple partners, ANSSI has discovered several clusters of malicious activity, including domain names, subdomains and email addresses, used in a large attack campaign with traces going back to 2017. The threat actor registered multiple domain names, and created several subdomains with a naming pattern revealing its potential targets. The main purpose of these activities seems to be credentials gathering, thanks to spearphishing emails and phishing websites.
The range of supposed targets is wide, including country officials and think tanks. Five possibly targeted diplomatic entities belong to member countries of the United Nations Security Council (China, France, Belgium, Peru, South Africa).
Attribution of a cyber attack to a threat actor is a complex exercice and is not the goal of this document nor ANSSI’s mission. This document only underlines the technical links found during ANSSI’s investigations between some infrastructure used during these attacks and technical elements reported in open-sources as being used by the following threat actors : Kimsuky and Group123.
During the course of this analysis, the cybersecurity company ANOMALI released a publicly available report regarding the same activities.
This report provides the infrastructure clusters identified and some of the potential targets. Indicators of compromise may be found in the attached CSV file.
- Report published on August 22nd, 2019 by Anomali regarding the credentials gathering campaign
- Report published by Talos regarding attacks against South Korea using the USA-Korea summit as a theme
- Report published by regarding the « Baby Shark » malware linked to this credential gathering campaign
- Report published by ESTsecurity regarding the APT campaign of Kimsuky named ‘Smoke Screen’