Microsoft Stops Cyber Attacks and Takes Down 50 Domains Operated By North Korean Hacking Group ‘Thallium’ 

Microsoft Corp said it has taken control of web domains operated by North Korean hacking group “Thallium” used in stealing sensitive information of users  based in the United States, as well as Japan and South Korea. According to the report, Microsoft said the hacking group used a common technique known as “spear phishing” to trick its victims by using credible-looking emails that appear legitimate at first glance.

In a blog post published on Monday, the tech giant also announced it has filed a court case in the U.S. District Court for the Eastern District of Virginia, which resulted in a court order enabling Microsoft to take control of 50 domains that the group uses to conduct its operations. With this action, the sites can no longer be used to execute attacks.

“Microsoft’s Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking and gathering information on Thallium, monitoring the group’s activities to establish and operate a network of websites, domains and internet-connected computers. This network was used to target victims and then compromise their online accounts, infect their computers, compromise the security of their networks and steal sensitive information. Based on victim information, the targets included government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues. Most targets were based in the U.S., as well as Japan and South Korea,” Tom Burt, Corporate Vice President, Customer Security & Trust, said in the blog post.

Just like many cyber criminals and state sponsored threat actors, Thallium used social media, public personnel directories from organizations the individual is involved with and other public sources to gather the information of its targeted victims. Thallium is then able to craft a personalized spear-phishing email in a way that gives the email credibility to the target, Microsoft said.

Below is a sample spear-phishing email provided by Microsoft. As you can see in the image below, the content is designed to appear legitimate, but closer review shows that Thallium has spoofed the sender by combining the letters “r” and “n” to appear as the first letter “m” in “microsoft.com.””

The link in the email redirects the user to a website requesting the user’s account credentials. By tricking victims into clicking on the fraudulent links and providing their credentials, Thallium is then able to log into the victim’s account. Upon successful compromise of a victim account, Thallium can review emails, contact lists, calendar appointments and anything else of interest in the compromised account. Thallium often also creates a new mail forwarding rule in the victim’s account settings. This mail forwarding rule will forward all new emails received by the victim to Thallium-controlled accounts. By using forwarding rules, Thallium can continue to see email received by the victim, even after the victim’s account password is updated.

In addition to targeting user credentials, Thallium also utilizes malware to compromise systems and steal data. Once installed on a victim’s computer, this malware exfiltrates information from it, maintains a persistent presence and waits for further instructions. The Thallium threat actors have utilized known malware named “BabyShark” and “KimJongRAT.”

This is the fourth nation-state activity group against which Microsoft has filed similar legal actions to take down malicious domain infrastructure. Previous disruptions have targeted Barium, operating from China, Strontium, operating from Russia, and Phosphorus, operating from Iran. These actions have resulted in the takedown of hundreds of domains, the protection of thousands of victims and improved the security of the ecosystem.