A coordinated cyberespionage campaign using phishing to harvest passwords from mobile phones and computers has targeted U.N. relief agencies, the International Red Cross and other non-governmental organizations groups for the past 10 months, a cybersecurity firm reported.
The San Francisco-based security company Lookout said it doesn't know who is behind the campaign, which was still active Thursday. It added that there are indications some of its targets may have been members of the international community in North Korea.
Among the targets were UNICEF, the U.N. World Food Program, the U.N. Development Program, the International Federation of the Red Cross and Red Crescent Societies, Lookout said.
Also targeted were think tanks and research organizations including The United States Institute of Peace, the Heritage Foundation, the Social Science Research Council, the East-West Center and the University of San Diego.
The cyberespionage campaign's internet infrastructure has been hosted by a company called Shinjiru, which protects client identities and lets customers pay in anonymity-shielding cryptocurrency, said Jeremy Richards, a Lookout researcher.
Lookout discovered internet sites designed to mimic actual U.N. webpages in hopes of tricking users into entering their login credentials, Richards said. All were physically hosted in Malaysia. The company has notified the targeted organizations it identified.
After obtaining the credentials of an employee already compromised by the attacks, the perpetrators would typically mine that person's email to identify their colleagues and try to infect them.
"We know that the typical attack path here is to get credentials from one individual in the organization and use that as a point of leverage to compromise laterally," Richards said.
Recommended for you
He said researchers had not been able to obtain copies of phishing emails or text messages used in the campaign.
Two documents found by Lookout researchers may offer clues to those behind the campaign. Both documents were designed to be automatically sent to people fooled by the phishing sites and were tailored for members of the international community in Pyongyang, the North Korean capital, Richards said. Lookout provided The Associated Press with copies.
One purports to come from the Romanian Embassy and contained an invitation to a May 9 reception to mark "Europe Day." The other included a "North Korea Watchers - Introductory Survey," which purported to come from an academic at Yonsei University in South Korea.
The North Korea survey was conducted last year and widely promoted on social media, said Jeffrey Robertson, the political science professor who conducted it.
"I assume this is why the 'coordinated campaign' has used it as a front to serve their objectives," he told the AP in an email exchange.
Lookout discovered the phishing infrastructure through routine scans it does daily of the internet seeking anomalies that could be engaged in malicious activity, Richards said.
___
Associated Press writer Kim Tong-hyung contributed to this report from Seoul, South Korea.
Keep the discussion civilized. Absolutely NO
personal attacks or insults directed toward writers, nor others who
make comments. Keep it clean. Please avoid obscene, vulgar, lewd,
racist or sexually-oriented language. Don't threaten. Threats of harming another
person will not be tolerated. Be truthful. Don't knowingly lie about anyone
or anything. Be proactive. Use the 'Report' link on
each comment to let us know of abusive posts. PLEASE TURN OFF YOUR CAPS LOCK. Anyone violating these rules will be issued a
warning. After the warning, comment privileges can be
revoked.
Please purchase a Premium Subscription to continue reading.
To continue, please log in, or sign up for a new account.
We offer one free story view per month. If you register for an account, you will get two additional story views. After those three total views, we ask that you support us with a subscription.
A subscription to our digital content is so much more than just access to our valuable content. It means you’re helping to support a local community institution that has, from its very start, supported the betterment of our society. Thank you very much!
(0) comments
Welcome to the discussion.
Log In
Keep the discussion civilized. Absolutely NO personal attacks or insults directed toward writers, nor others who make comments.
Keep it clean. Please avoid obscene, vulgar, lewd, racist or sexually-oriented language.
Don't threaten. Threats of harming another person will not be tolerated.
Be truthful. Don't knowingly lie about anyone or anything.
Be proactive. Use the 'Report' link on each comment to let us know of abusive posts.
PLEASE TURN OFF YOUR CAPS LOCK.
Anyone violating these rules will be issued a warning. After the warning, comment privileges can be revoked.