Microsoft announced that it has taken control of 50 domains operated by North Korean hacking group called “Thallium”. The tech giant stated that attackers used these domains to launch cyber-attacks on different locations including the United States, Japan, and South Korea.
The news came to light when Microsoft filed a lawsuit against Thallium in the U.S. District Court for the Eastern District of Virginia. The U.S. authorities ordered Microsoft to take control of the 50 domains that Thallium was using to perform their operations, as a result, these sites can no longer be used to execute any attack.
Microsoft said that its Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking Thallium for months and have been gathering information on its operations.
Microsoft said these domains were used to send out phishing emails containing a malicious link, a method known as spear-phishing that typically tricks the victims to click and enter their details in a self-hosted page, which are then stored in a hacker database.
The intention of these attacks was to infect victims’ devices with Remote Access Trojans (RATs) such as KimJongRAT and Baby Shark. Once malware was installed it could exploit the information on the victim’s computer by granting remote access to execute commands sent by the hacker.
Tom Burt, Microsoft’s Corporate Vice President, Customer Security & Trust said, “Based on victim information the targets included government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues.”
This is not the first time Microsoft took hold of domains belonging to a hacker group. In August 2018, Microsoft filed similar legal actions and took down 84 domains belonging to the Russian group known as Strontium, and it also seized 99 domains that were operated by Phosphorus, an Iran linked cyber-espionage group in May 2019.