Microsoft seizes control of 50 websites used by a North Korea-linked hacking group to carry out cyber attacks on government workers, human rights groups and nuclear activists

  • The group used a network of websites to target specific groups of individuals
  • They also targeted think tanks and peace workers as part of their attacks
  • The group has been code named Thallium by Microsoft after the element
  • It is the fourth 'nation-state' hacking group Microsoft's security team targeted
  • Others were from China, Russia and Iran and all given chemical code names 

Microsoft has taken control of 50 websites owned by a North Korea-linked hacking group that was targeting government workers and nuclear activists.

The technology giant launched a case in the US District Court against the group code named Thallium to try and stop their operations.

The Microsoft Digital Crimes Unit were tracking and gathering information on Thallium to establish the extent of their network ahead of the December 27 hearing.

They found that the group would infect computers, compromise network security and steal sensitive information from specifically targeted victims.  

Other groups targeted by the hackers include peace workers, human rights organisations, university staff and think tanks.

Scroll down for video  

Microsoft has taken control of 50 websites owned by a North Korea-linked hacking group that was targeting government workers and nuclear activists

Microsoft has taken control of 50 websites owned by a North Korea-linked hacking group that was targeting government workers and nuclear activists

The majority of the victims were based in Japan, South Korea and the USA, according to the Microsoft team.

This is the fourth time Microsoft has taken action against a hacking group run from a 'nation-state', with previous actions involving China, Russia and Iran. 

Other actions were code named Barium which operated out of China, Strontium from Russia and Phosphorus run from Iran.  

The actions against these groups resulted in the takedown of hundreds of domains, leading to the protection of thousands of victims, say Microsoft. 

'Like many cyber criminals, Thallium typically attempts to trick victims through a technique known as spear phishing', said Microsoft VP Tom Burt.

'This works by gathering information about the targeted individuals from social media, public personnel directories from organisations the individual is involved with and other public sources.

'Thallium is then able to craft a personalised spear-phishing email in a way that gives the email credibility to the target.'

When the sender's email address is examined closely it shows they used a domain name made to look like microsoft.com but actually replaces the M with an r and n close together to resemble the m

When the sender's email address is examined closely it shows they used a domain name made to look like microsoft.com but actually replaces the M with an r and n close together to resemble the m

A spear-phishing email will appear to be from a legitimate company, including organisations like Microsoft, but will have a spoofed email address.

When the email address is examined closely it shows they used a domain name made to look like it is official but with letters changed.

For example, it may appear as microsoft.com but the hackers actually replace the 'm' with an 'r' and 'n' close together to resemble the m when viewed quickly - 'rn'.

  • microsoft.com - Official Microsoft website
  • rnicrosoft.com - Former hacker owned website

'The link in the email redirects the user to a website requesting the user's account credentials,' Mr Burt said.

'By tricking victims into clicking on the fraudulent links and providing their credentials, Thallium is then able to log into the victim's account.'

Thallium can then review emails, contact lists, calendar appointments and anything else they want to see in the compromised account.

Microsoft have already taken action against groups from China, Russia and Iran in similar court cases that led to the seizure of websites

Microsoft have already taken action against groups from China, Russia and Iran in similar court cases that led to the seizure of websites

The group also uses malware - virus like software that infects a computer and can be controlled remotely - to compromise systems and steal data. 

Once installed on a victim's computer, this malware steals information and maintains a 'persistent presence' waiting on further instructions.

The Thallium group are thought to use malware named 'BabyShark' and 'KimJongRAT' when targeting users machines.

'As we’ve said in the past, we believe it’s important to share significant threat activity like that we’re announcing today' Mr Burt wrote in a blog post

'We think it’s critical that governments and the private sector are increasingly transparent about nation-state activity so we can all continue the global dialogue about protecting the internet. 

'We also hope publishing this information helps raise awareness among organisations and individuals about steps they can take to protect themselves.'

HOW DO HACKERS USE 'SPEAR-PHISHING' TO STEAL USERS PRIVATE INFORMATION?

Spear-phishing is based on the concept of 'phishing' - that is where hackers attempt to re-create an official looking email, social media account or website to convince people to share their login details.

Spear-phishing is a much more targeted approach that uses the same approach but with a lot more person information.

In a spear-phishing attack the hacker would scour the social media accounts, public directories, organisation websites and anywhere that contains personal information on their target.

They then craft an email designed to look like it is coming from a professional organisation the target has a link to.

When they click a link in the email it will take them to a website that looks the same as the organisation site but when they enter their username and password it just sends it to the hacker, rather than log them in.

SOURCE: Microsoft 

Advertisement