Microsoft seizes 50 domains operated by NK cybercriminals

Court order permits Microsoft to take control of 50 domains operated by suspected North Korean cybercrime ring known as Thallium

A U.S. district court has provided Microsoft with a court order allowing the company to seize control of 50 domains operated by Thallium, a cybercrime ring believed to be of North Korean origin. By taking control of the domains, Microsoft will be able to suspend ‘spear phishing’ activities conducted on these websites.

Microsoft investigators have been tracking Thallium’s criminal activities, as they used their online network to target victims and compromise online accounts, infect computers with malicious code, and steal sensitive data.

Thallium targeted individuals by gathering information from various sources, including social media and other online data available to the general public. The target would receive a personalised email persuading them to click a fraudulent link and provide user credentials, giving Thallium a point of entry to their network.

These phishing emails appeared credible at first glance, but upon closer inspection the senders have been clearly spoofed. In the example provided by Microsoft, an email requesting verification of Microsoft login credentials uses the letters ‘r’ and ‘n’ as a substitute for the first ‘m’ in ‘microsoft.com.’

Once the hackers have accessed to a user account, they can monitor activity, compromise systems, steal data, and distribute malware. Known malware used by Thallium includes ‘‘BabyShark’ and ‘KimJongRAT.’

Victims include government, university, and human rights organisation employees primarily based in the U.S., Japan and South Korea. While the precise number of victims is unknown, the group is believed to have been active since 2010.

Microsoft filed a complaint against Thallium in the Virginia courts, as the group operates domains that are registered in that state. In the filing, Microsoft alleged, “Thallium specializes in targeting, penetration and stealing sensitive information from high-value computer networks.” The filing went on to say that while the identities and locations of the hackers were unknown, they have been linked by “many in the security community to North Korean hacking group(s).”