On December 30th, Microsoft announced that 50 web domains operated by a hacking group fund by the North Korean government have been taken down successfully. These 50 domains were used for conducting cyberattacks. The group using these domains has been recognized as Thallium. Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been monitoring Thallium for months by tracking their activities and mapping their infrastructures. Besides tracking Thallium’s offensive operations, Microsoft also tracked infected hosts. After Christmas, US authorities granted Microsoft a court order and allowed them to take over 50 domains that had been used for cyberattacks by North Korean hackers. These domains have been used for sending out phishing emails and hosting phishing pages. By doing so, Thallium hackers would be able to steal their credentials and gain access to internal networks after the victims are lured to click on these sites.
According to Tom Burt, Corporate Vice President of Customer Security & Trust at Microsoft, “Based on victim information, the targets included government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues. Once installed on a victim’s computer, this malware exfiltrates information from it, maintains a persistent presence and waits for further instructions. Most targets were based in the U.S., as well as Japan and South Korea.” The malware mentioned here includes KimJongRAT and BabyShark, two remote access trojans (RATs).
In the past, Microsoft has used the same measures to hinder the operations of foreign government backed hacking groups, such as the Russian group known as Strontium (APT28, Fancy Bear), the Iran-linked cyber-espionage outfit named Phosphorus (APT35), and a Chinese government-backed hacking group known as Barium. Microsoft had been successfully taken down 84 domains operated by Strontium and 99 domains operated by Phosphorus.