As part of its continuing effort to disrupt the operations of state-backed attackers, Microsoft has seized 50 domains it says were used by threat actors associated with the North Korean government in highly targeted phishing campaigns against government employees, activists, and other groups.
Microsoft obtained a federal court order to take over the domains used by a group the company’s researchers call Thallium. Many of the domains were similar to legitimate Microsoft domains but contained small variations that are difficult to spot. For example, one of the domains was office356-us.org, which is quite similar to a legitimate one used for Microsoft’s Office 365 service. In some of the spear phishing messages the attackers sent to victims, the spoofed sender domain was constructed to look like a microsoft.com domain, but the initial lowercase character is replaced with lowercase “r” and “n”. Read quickly, the characters look virtually identical and the emails themselves are well-constructed, as well, purporting to warn recipients of unusual sign-ins to their email accounts.
The goal of the phishing emails was to harvest victims’ credentials when they click on malicious links, giving the Thallium attackers free reign over the compromised mail accounts. The tactic, though simple, is quite common among state-backed threat actors because it’s effective and efficient. It doesn’t rely on any advanced targeting or sophisticated exploits and can produce devastating results.
“Microsoft’s Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking and gathering information on Thallium, monitoring the group’s activities to establish and operate a network of websites, domains and internet-connected computers. This network was used to target victims and then compromise their online accounts, infect their computers, compromise the security of their networks and steal sensitive information,” Tom Burt, corporate vice president of customer security and trust at Microsoft, said.
“Based on victim information, the targets included government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues. Most targets were based in the U.S., as well as Japan and South Korea.”
"We think it’s critical that governments and the private sector are increasingly transparent about nation-state activity."
The action by Microsoft follows similar moves against groups associated with government-backed hacking operations from Russia, China, and Iran in the last year. The company has devoted considerable time and resources to identifying, tracking, and disrupting state-backed threat groups that target its customers, using both technical and legal means to halt attack campaigns. In March 2019 Microsoft went after a group known as Phosphorus that is linked to Iran, using a court order to seize 99 domains the group operated. In August 2018 the company gained control of several domains used by a group linked to the infamous Fancy Bear threat actors, who are widely associated with the Russian government.
Once somewhat hesitant to wade into the technical issues and potential political entanglements that can come from these actions, United States courts in recent years have shown a willingness to grant orders such as those Microsoft sought. Other companies have used the same strategy, especially when the domains or other infrastructure specifically target their customers.
Microsoft’s Burt said the Thallium attackers didn’t rely solely on credential theft, but also used malware in some cases.
“In addition to targeting user credentials, Thallium also utilizes malware to compromise systems and steal data. Once installed on a victim’s computer, this malware exfiltrates information from it, maintains a persistent presence and waits for further instructions. The Thallium threat actors have utilized known malware named ‘BabyShark’ and ‘KimJongRAT’,” Burt said.
“As we’ve said in the past, we believe it’s important to share significant threat activity like that we’re announcing today. We think it’s critical that governments and the private sector are increasingly transparent about nation-state activity so we can all continue the global dialogue about protecting the internet. We also hope publishing this information helps raise awareness among organizations and individuals about steps they can take to protect themselves.”