Microsoft seizes control of 50 websites used by a North Korea-linked hacking group to carry out cyber attacks on government workers, human rights groups and nuclear activists
- The group used a network of websites to target specific groups of individuals
- They also targeted think tanks and peace workers as part of their attacks
- The group has been code named Thallium by Microsoft after the element
- It is the fourth 'nation-state' hacking group Microsoft's security team targeted
- Others were from China, Russia and Iran and all given chemical code names
Microsoft has taken control of 50 websites owned by a North Korea-linked hacking group that was targeting government workers and nuclear activists.
The technology giant launched a case in the US District Court against the group code named Thallium to try and stop their operations.
The Microsoft Digital Crimes Unit were tracking and gathering information on Thallium to establish the extent of their network ahead of the December 27 hearing.
They found that the group would infect computers, compromise network security and steal sensitive information from specifically targeted victims.
Other groups targeted by the hackers include peace workers, human rights organisations, university staff and think tanks.
Scroll down for video
Microsoft has taken control of 50 websites owned by a North Korea-linked hacking group that was targeting government workers and nuclear activists
The majority of the victims were based in Japan, South Korea and the USA, according to the Microsoft team.
This is the fourth time Microsoft has taken action against a hacking group run from a 'nation-state', with previous actions involving China, Russia and Iran.
Other actions were code named Barium which operated out of China, Strontium from Russia and Phosphorus run from Iran.
The actions against these groups resulted in the takedown of hundreds of domains, leading to the protection of thousands of victims, say Microsoft.
'Like many cyber criminals, Thallium typically attempts to trick victims through a technique known as spear phishing', said Microsoft VP Tom Burt.
'This works by gathering information about the targeted individuals from social media, public personnel directories from organisations the individual is involved with and other public sources.
'Thallium is then able to craft a personalised spear-phishing email in a way that gives the email credibility to the target.'
When the sender's email address is examined closely it shows they used a domain name made to look like microsoft.com but actually replaces the M with an r and n close together to resemble the m
A spear-phishing email will appear to be from a legitimate company, including organisations like Microsoft, but will have a spoofed email address.
When the email address is examined closely it shows they used a domain name made to look like it is official but with letters changed.
For example, it may appear as microsoft.com but the hackers actually replace the 'm' with an 'r' and 'n' close together to resemble the m when viewed quickly - 'rn'.
- microsoft.com - Official Microsoft website
- rnicrosoft.com - Former hacker owned website
'The link in the email redirects the user to a website requesting the user's account credentials,' Mr Burt said.
'By tricking victims into clicking on the fraudulent links and providing their credentials, Thallium is then able to log into the victim's account.'
Thallium can then review emails, contact lists, calendar appointments and anything else they want to see in the compromised account.
Microsoft have already taken action against groups from China, Russia and Iran in similar court cases that led to the seizure of websites
The group also uses malware - virus like software that infects a computer and can be controlled remotely - to compromise systems and steal data.
Once installed on a victim's computer, this malware steals information and maintains a 'persistent presence' waiting on further instructions.
The Thallium group are thought to use malware named 'BabyShark' and 'KimJongRAT' when targeting users machines.
'As we’ve said in the past, we believe it’s important to share significant threat activity like that we’re announcing today' Mr Burt wrote in a blog post.
'We think it’s critical that governments and the private sector are increasingly transparent about nation-state activity so we can all continue the global dialogue about protecting the internet.
'We also hope publishing this information helps raise awareness among organisations and individuals about steps they can take to protect themselves.'
Most watched News videos
- Terrifying moment driver overtakes van and narrowly avoids crash
- Russian plane spiralling out of control crashes in sea in Crimea
- Queen Camilla greets children after traditional Maundy service
- Camilla hands out gifts at Royal Maundy ceremony on behalf of King
- Starmer and Rayner embrace as they launch election campaign
- Three men seen running out of Beckenham station after knife attack
- British man fighting for Putin posts video from Russia online
- 'Satan took over me': Hamas terrorist confesses of raping woman
- Tourist is filmed napping in his tent on the beach with a crocodile
- Hilarious moment King's Guard shout 'make way' at pigeons in London
- Police carry slingshots to defend themselves against crazed monkeys
- Police tape off Kennington station after 'multiple stabbings'