The San Francisco-based security company Lookout said it doesn't know who is behind the campaign, which was still active Thursday. It added that there are indications some of its targets may have been members of the international community in North Korea.
Among the targets were UNICEF, the U.N. World Food Program, the U.N. Development Program, the International Federation of the Red Cross and Red Crescent Societies, Lookout said. Also targeted were think tanks and research organizations including The United States Institute of Peace, the Heritage Foundation, the Social Science Research Council, the East-West Center and the University of San Diego.
The cyberespionage campaign's internet infrastructure has been hosted by a company called Shinjiru, which protects client identities and lets customers pay in anonymity-shielding cryptocurrency, said Jeremy Richards, a Lookout researcher.
Lookout discovered internet sites designed to mimic actual U.N. webpages in hopes of tricking users into entering their login credentials, Richards said. All were physically hosted in Malaysia. The company has notified the targeted organizations it identified.
After obtaining the credentials of an employee already compromised by the attacks, the perpetrators would typically mine that person's email to identify their colleagues and try to infect them. "We know that the typical attack path here is to get credentials from one individual in the organization and use that as a point of leverage to compromise laterally," Richards said.
He said researchers had not been able to obtain copies of phishing emails or text messages used in the campaign. Two documents found by Lookout researchers may offer clues to those behind the campaign. Both documents were designed to be automatically sent to people fooled by the phishing sites and were tailored for members of the international community in Pyongyang, the North Korean capital, Richards said. Lookout provided The Associated Press with copies.
One purports to come from the Romanian Embassy and contained an invitation to a May 9 reception to mark "Europe Day." The other included a "North Korea Watchers - Introductory Survey," which purported to come from an academic at Yonsei University in South Korea.
The North Korea survey was conducted last year and widely promoted on social media, said Jeffrey Robertson, the political science professor who conducted it. "I assume this is why the 'coordinated campaign' has used it as a front to serve their objectives," he told the AP in an email exchange.
Lookout discovered the phishing infrastructure through routine scans it does daily of the internet seeking anomalies that could be engaged in malicious activity, Richards said.
Associated Press writer Kim Tong-hyung contributed to this report from Seoul, South Korea.