Credentials Gathering Campaign (Sep 2, 2019)
The Agence nationale de la sécurité des systèmes d'information (ANSSI) has identified “several clusters of malicious activity, including domain names, subdomains and email addresses, used in a large attack campaign with traces going back to 2017.” This malicious activity follows naming conventions that reveal the targets that are being attacked with the objective being to steal credentials. The targeted organizations are government-related such as the French ministry of foreign affairs, and the South African ministry of foreign affairs. These credential-stealing attacks were traced into five different clusters of malicious activity. This indicates that the actors are well-organized and strategic in their targeting which leads to this activity likely being APT-related.
Recommendation: This malicious activity is likely being conducted through sponsorship of the North Korean government. Anomali researchers previously released a report in which analysts the phishing domains and credential theft was being conducted by North Korean actors. Government entities will always be assessed to hold valuable information, as such, actors who want this information (other governments) will target said entities in attempts to steal information for strategic purposes. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.