Microsoft hijacks 50 domain names from Thallium hacker group

Microsoft has posted about its latest victory against state-sponsored hacker groups after the U.S. District Court for the Eastern District of Virginia agreed to allow Microsoft to confiscate 50 domain names from state-sponsored Korean hacker group Thallium.

This network was used to target victims and then compromise their online accounts, infect their computers, compromise the security of their networks and steal sensitive information. Based on victim information, the targets included government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues. Most targets were based in the U.S., as well as Japan and South Korea.

Thallium typically attempts to trick victims through a technique known as spear phishing. By gathering information about the targeted individuals from social media, public personnel directories from organizations the individual is involved with and other public sources, Thallium is able to craft a personalized spear-phishing email in a way that gives the email credibility to the target. The content is designed to appear legitimate, but closer review shows that Thallium has spoofed the sender by combining the letters “r” and “n” to appear as the first letter “m” in “microsoft.com.”

The link in the email redirects the user to a website requesting the user’s account credentials. By tricking victims into clicking on the fraudulent links and providing their credentials, Thallium is then able to log into the victim’s account. Upon successful compromise of a victim account, Thallium can review emails, contact lists, calendar appointments and anything else of interest in the compromised account. Thallium often also creates a new mail forwarding rule in the victim’s account settings. This mail forwarding rule will forward all new emails received by the victim to Thallium-controlled accounts. By using forwarding rules, Thallium can continue to see email received by the victim, even after the victim’s account password is updated.

In addition to targeting user credentials, Thallium also utilizes malware to compromise systems and steal data. Once installed on a victim’s computer, this malware exfiltrates information from it, maintains a persistent presence and waits for further instructions. The Thallium threat actors have utilized known malware named “BabyShark” and “KimJongRAT.”

This is the fourth nation-state activity group against which Microsoft has filed similar legal actions to take down malicious domain infrastructure. Previous disruptions have targeted Barium, operating from China, Strontium, operating from Russia, and Phosphorus, operating from Iran.

To protect against these kind of threats, Microsoft suggests users enable two-factor authentication on all business and personal email accounts. Second, users need to learn how to spot phishing schemes and protect themselves from them. Lastly, enable security alerts about links and files from suspicious websites and carefully check your email forwarding rules for any suspicious activity.