Computers

Microsoft disrupts North Korean hacker group called Thallium

Microsoft disrupts North Korea...
Microsoft has taken over 50 domains it claims North Korean hackers are using to compromise individual accounts in the US, Japan and Korea
Microsoft has taken over 50 domains it claims North Korean hackers are using to compromise individual accounts in the US, Japan and Korea
View 2 Images
Microsoft has taken over 50 domains it claims North Korean hackers are using to compromise individual accounts in the US, Japan and Korea
1/2
Microsoft has taken over 50 domains it claims North Korean hackers are using to compromise individual accounts in the US, Japan and Korea
An example of one of the phishing emails Microsoft tracked to North Korean hackers
2/2
An example of one of the phishing emails Microsoft tracked to North Korean hackers

Microsoft has revealed it has detected a comprehensive network of cyberattacks originating from North Korea. The hacking group has been dubbed Thallium, and it is the fourth nation-state group Microsoft has identified deploying malicious cyberactivity, following Russia, China and Iran.

Microsoft’s Corporate Vice President of Customer Security & Trust Tom Burt outlines how a recent court order enabled the company to take control of 50 domains that have been linked to malicious cyberactivity. Burt claims Thallium has been using a technique called spear-phishing, stealing sensitive information from a number of victims, including government employees and individuals working on nuclear proliferation issues.

The technique involves emails designed to trick victims into clicking malicious links from which either their log-in details are stolen, or their system is infected with malware. The majority of targets identified were in the US, Japan or South Korea.

“By gathering information about the targeted individuals from social media, public personnel directories from organizations the individual is involved with and other public sources, Thallium is able to craft a personalized spear-phishing email in a way that gives the email credibility to the target,” Burt explains before offering a specific example of one of the phishing emails. “… the content is designed to appear legitimate, but closer review shows that Thallium has spoofed the sender by combining the letters “r” and “n” to appear as the first letter “m” in “microsoft.com.”

An example of one of the phishing emails Microsoft tracked to North Korean hackers
An example of one of the phishing emails Microsoft tracked to North Korean hackers

While this form of phishing using fake email addresses is an old hacker strategy, it undoubtedly works. And Burt stresses this is now the fourth major nation-state group using this tactic to target specific victims that Microsoft has disrupted.

“Previous disruptions have targeted Barium, operating from China, Strontium, operating from Russia, and Phosphorus, operating from Iran,” Burt writes. “These actions have resulted in the takedown of hundreds of domains, the protection of thousands of victims and improved the security of the ecosystem.”

Russian hacking group Strontium, also known as Fancy Bear, has on several occasions been detected using this kind of tactic to target US government officials. Microsoft has previously reported taking over phishing domains including “senate.group” and “adfs-senate.email”. These actions were detected during both the 2016 US Presidential election and the 2018 US mid-term elections.

Source: Microsoft

5 comments
CAVUMark
I am having a hard time warming up to N. Korea, China, Russia, etc...
buzzclick
What do you expect? When you're the big dog playing in the cybernet, all the young cats want to mess with you. It's the law of the on-line jungle...or lack thereof.
snowflake0446
Maybe I don't understand some thing(s), but why don't we (each Nation) have Intelligent Firewalls that help to stop this kind of external traffic from coming in? Yes, I know that North Koreans, Russians, China, etc can place their hackers within the US or disperse the virus internally. So is there a way for each and every router within the US or Australia, Canada, etc do some internal packet checking fast enough that it can stop packets that contain known malware signatures?
buzzclick
@snowflake0446 the malware signatures just keep changing making it harder to hit a moving target. There are state hackers, but most of them may be private individuals or groups. Makes me wonder what the statistics are for the success rate of hackers from the West getting in to Russia, China and the DPRK. Is the Chinese firewall as easy to penetrate?
FB36
IMHO, all kinds of hacker & ransomware & malware attacks (using internet) is keep getting bigger & more often! We are clearly losing the battle! What is the (real) solution? IMHO. the root cause of all internet attacks is actually the same! Allowing anonymity (anonymous access/usage)! It is currently really easy for anyone to do any kind of crime in internet and stay completely hidden! What needs to be done? 1st, all VPN services (providing anonymity) need to be (globally) banned! 2nd, all countries should/must do what China does! Make all internet users use a personal ID & make ISPs log all internet activity of all users (which maybe needed anytime for law enforcement)! (Realize, ending anonymity would also end, all bullying/manipulation/exploitation incidents & all illegal/harmful content issues!)