Microsoft Seizes Domains to Disrupt North Korean Hackers

Microsoft has seized scores of domains thought to have been used by a North Korean threat group to support a spear-phishing and information-stealing campaign.

The tech giant secured a court order after filing against the “Thallium” group (aka APT37), enabling it to take control of 50 domains it said were being used to execute attacks against mainly US, but also Japanese and South Korean entities.

“This network was used to target victims and then compromise their online accounts, infect their computers, compromise the security of their networks and steal sensitive information,” explained Microsoft VP of customer security and trust, Tom Burt.

“Based on victim information, the targets included government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues.”

Victims are typically hit by spear-phishing attacks using info gathered from public sources to add legitimacy.

Clicking through on these will take the victim to a spoofed website requesting account log-ins. This strategy is designed to give Thallium attackers access to their emails, contact lists, calendar appointments and anything else of interest.

The group has also been observed setting up a mail forwarding facility so that it can continue to monitor a victim’s communications even after they have updated their account password, Burt explained.

“In addition to targeting user credentials, Thallium also utilizes malware to compromise systems and steal data,” he added.

“Once installed on a victim’s computer, this malware exfiltrates information from it, maintains a persistent presence and waits for further instructions. The Thallium threat actors have utilized known malware named ‘BabyShark’ and ‘KimJongRAT’.”

The takedown follows similar operations carried out by Microsoft against groups operating from China, Russia and Iran.

Back in July last year, the firm claimed it had warned 10,000 customers that they’d been targeted by nation state attacks over the previous 12 months, including hundreds of US political organizations.

What’s Hot on Infosecurity Magazine?