Anomali researchers recently observed a site masquerading as a login page for a diplomatic portal linked to the French government. Further analysis of the threat actor’s infrastructure uncovered a broader phishing campaign targeting three different countries’ Ministry of Foreign Affairs agencies. Also targeted were four research-oriented organisations including: Stanford University, the Royal United Services Institute (RUSI), a United Kingdom-based think tank, Congressional Research Service (CRS), a United States-based think tank, and five different email service providers. There is an overlap of infrastructure with known North Korean actors, including the same domain and shared hosting provider. Because of the links between one of the victims and their work on North Korean sanctions, we expect to see malicious actors continue to target the international staff involved in a similar official capacity.
Prior to the release of this blog post, we have submitted the phishing sites to Google Safebrowsing and Microsoft for blacklist consideration.
Targeting of French Ministry of Europe and Foreign Affairs
On August 9, 2019, The Anomali Threat Research Team discovered a web page impersonating the French Ministry for Europe and Foreign Affairs (MEAE) online portal. The malicious host “portalis.diplomatie.gouv.fr.doc-view[.]work”[1] bears a strong resemblance to the legitimate site “diplomatie.gouv.fr”. When navigating to the suspicious subdomain, users are displayed with a phishing site mimicking the MEAE portal. According to the legitimate site, access is restricted to “MEAE agents”. The legitimate website for “France Diplomatie”, describes MEAE agents as potentially working for one of 12 agencies for the “Ministry for Europe and Foreign Affairs”. If an official from any of these agencies is able to login to the portal, then it is possible that all twelve of these agencies are potential victims, which includes:
Agence Française de Développement (AF ..
Support the originator by clicking the read the rest link below.
