Application security, Threat Management

Microsoft helps shutter domains run by North Korean cybergang Thallium

A U.S. district court issued an order enabling Microsoft to take over 50 domains used by a North Korea-based cybercrime gang to conduct spear phishing campaigns.

Microsoft’s Digital Crimes Unit and the Microsoft Threat Intelligence Center took down the domains controlled by a group it named Thallium after researching the malicious actors activity and filing a report with the U.S. District Court for the Eastern District of Virginia, said Tom Burt, Microsoft’s corporate vice president, customer Security and trust.

The court documents were unsealed on December 27 and detailed Microsoft’s work deciphering how Thallium, which is believed to be North Korean, operated its campaigns. The group, according to Burt’s report, did extensive online research to develop the information needed to properly socially engineer the spear phishing emails. Targets included government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues. Most of the targets were based in the U.S., as well as Japan and South Korea.

A phishing email would generally contain a message requesting the individual click on an embedded link in order to correct an issue. Once the link is clicked the victim is taken to a fraudulent site and asked to supply their login credentials at which point Thallium has the ability to take over the account.

“Upon successful compromise of a victim account, Thallium can review emails, contact lists, calendar appointments and anything else of interest in the compromised account. Thallium often also creates a new mail forwarding rule in the victim’s account settings. This mail forwarding rule will forward all new emails received by the victim to Thallium-controlled accounts. By using forwarding rules, Thallium can continue to see email received by the victim, even after the victim’s account password is updated,” Burt said.

Thallium also used this access to plant the persistent, information-stealing malware BabyShark or KimJongRAT.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.