Microsoft has successfully taken control of web domains used by a North Korean hacking group called Thallium. It was granted approval to do so by the US Virginia district court, following a case filed against the hacking group. Thallium used malware to compromise systems and steal data. It is the fourth nation-state cybercrime group against which Microsoft has taken legal action.
Microsoft Sues Hacking Group Thallium
Late December 2019, the US District Court for the Eastern District of Virginia unsealed documents related to a law suit filed by Microsoft against North Korea-linked cybercrime group Thallium. The suit was filed in Virginia because Thallium uses internet domains registered in this state. Hackers target Microsoft users by impersonating the company with the aim of stealing sensitive information. Thallium has been active since at least 2010.
The method Thallium uses is typical, yet very effective. After researching a potential target, Thallium identifies individual employees of that organization or associated individuals. It uses publicly available information and social media interaction to do so. Next, the hackers create fake email addresses to launch phishing attacks.
The hackers typically impersonate legitimate services, including Hotmail, Gmail, Yahoo or even the company’s webmail service. In many other cases, the spoofed email appears to originate from a familiar contact known by the target. The spearfishing emails include links or sophisticated redirects to fake – but very legitimate looking! – websites set up and controlled by Thallium. In addition, the hackers also use malware to steal data and compromise systems. The two main strains the hackers use are BabyShark and KimJongRAT.
Tech Giant Takes Down 50 False Domain Names
Thallium is the fourth nation-state cybercrime group against which Microsoft has filed similar legal action. Microsoft asks companies that host website domains associated with Thallium to hand over control of the sites. Since the beginning of this week, Microsoft has taken down approximately 50 web domains used by Thallium to conduct its cybercrime operations.
The tech giant previously disabled false domains belonging to three other nation-state cybercrime groups: the Chinese hacking group Barium, Russia’s cyber espionage group Strontium AKA Fancy Bear/APT28, and Phosphorus, a cybercrime group with ties to Iran.
Hackers Stole Sensitive Information
Thallium’s victims include government and university employees, human rights organizations, individuals that work on nuclear proliferation issues, think tanks and many others. Most of the targets are based in the US, as well as Japan and South Korea. According to Microsoft, the hackers were able to gain access to high-value computer networks and highly sensitive information.
Experts from Netscout’s Atlas Security Engineering & Response Team also monitor the hacking group. They observed Thallium targeting universities and more specifically individuals with significant experience in biomedical engineering.
Microsoft advices users to enable two-factor authentication whenever and wherever possible and to learn how to spot phishing schemes. It also suggests companies to organize training on the topic and to enable security alerts on all levels including vigorous email forwarding rules.