14 DAY TRIAL // Microsoft has filed a lawsuit against North Korean hacker group Thallium, taking over a total of 50 domains that have previously been used to execute attacks against a series of high-profile targets.
The Redmond-based software company says Thallium typically used spear phishing and malware to compromise devices, and most often, their targets included government employees, think tanks, university staff members, members of world peace and human rights organizations, as well as individuals involved in the nuclear proliferation efforts.
The North Korean hackers typically went after targets in the United States, Japan, and South Korea, Microsoft said.
Thallium’s spear phishing attacks relied on a complex method that most often involved gathering information about targets from social media or other public sources that allowed the hackers to create a personalized email looking legitimate.
Hackers use email forwarding to obtain victims’ emails
“By tricking victims into clicking on the fraudulent links and providing their credentials, Thallium is then able to log into the victim’s account. Upon successful compromise of a victim account, Thallium can review emails, contact lists, calendar appointments and anything else of interest in the compromised account,” Tom Burt, Corporate Vice President, Customer Security & Trust, explains.
Hackers also configured forwarding rules to obtain all emails received by their targets and often turned to additional payloads used to collect information and obtain persistence. “BabyShark” and “KimJongRAT” are two of the malware attacks that Thallium has used, Microsoft explains.
“This is the fourth nation-state activity group against which Microsoft has filed similar legal actions to take down malicious domain infrastructure. Previous disruptions have targeted Barium, operating from China, Strontium, operating from Russia, and Phosphorus, operating from Iran,” Burt says.
Microsoft claims it has already updated its security products to protect customers against the attacks launched by Thallium and recommends users to enable two-factor authentication and check security alerts and email forwarding rules as soon as possible.