Microsoft recently took down 50 web domains used by a North Korean hacking group they call Thallium. The takedown happened after the Redmond giant filed a lawsuit against Thallium in the U.S. District Court of Virginia.
Microsoft’s Digital Crimes Unit (DCU) and Threat Intelligence Center have been tracking the activities of the group. According to Microsoft, hackers mainly targeted people in the US, Japan, and South Korea. The targets mainly included government employees and members of organizations focused on human rights and world peace.
Thallium allegedly operated a network of websites and domains to take over online accounts of people. The attackers mainly used spear phishing technique to compromise user accounts.
To do so, the hacking group gathers information about the target from social media and public profiles. An email that closely resembles an official communication is sent to the target which redirects the target to fraudulent websites. For instance, take a look at the below image where Thallium spoofed the sender by using the letters ‘r’ and ‘n’ to make it look like ‘m’ as in ‘microsoft.com’.
Thallium group is also known to use popular malwares like “BabyShark” and “KimJongRAT.” “Once installed on a victim’s computer, this malware exfiltrates information from it, maintains a persistent presence and waits for further instructions.”, says Tom Burt, Corporate Vice President, Customer Security & Trust at Microsoft.
This approach is not something new to Microsoft. The tech giant used the same methodology to take down malicious domains by Barium that operated from China, Strontium that operated from Russia, and Phosphorus from Iran.
Microsoft recommends enabling two-factor authentication on all personal and business email accounts, learning to spot phishing schemes, enabling security alerts, and checking email forwarding rules to stay safe from such incidents.