CERTFR-2019-CTI-002-EN.pdf (1 MB)

ANSSI identified a credentials-gathering campaign active since at least 2017 that used spearphishing emails, phishing websites, and large clusters of lookalike domains and subdomains. The infrastructure appeared to target diplomatic bodies, ministries of foreign affairs, UN-related entities, think tanks, Stanford University, South Korea's foreign ministry, and regional email providers. Several domains spoofed cloud, mail, and document services, with many subdomains resolving in the 157.7.184.0/24 range hosted in Japan and grouped by shared registration emails or naming patterns. ANSSI did not attribute the campaign, but noted technical links between some infrastructure and open-source reporting on Kimsuky and Group123, including doc-view.work and mailacounts.com/NavRAT references. The reporting matters because it gives defenders concrete phishing infrastructure and target patterns for monitoring credential-theft activity against strategic organizations.