Tech giant Microsoft announced this week that it has removed 50 web domains that were previously used by a North Korean government-backed hacking group.
ZDNet reports that tech giant Microsoft has successfully removed 50 web domains linked to a North Korean government-backed hacking group called Thallium (also known as APT37). Teams from the Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) reportedly worked together to monitor Thallium for months and track the group’s activities, mapping its infrastructure.
Microsoft filed a lawsuit against Thallium in Virginia court on December 18, 2019. After Christmas, Microsoft was granted a court order by U.S. authorities which allowed the tech firm to take control of 50 domains that the hackers used as part of their cyber attacks.
The domains were mainly used to send phishing emails and host phishing pages, pages designed to trick individuals into handing over their personal details. Thallium hackers used the sites to gain the private credentials of users and then used these credentials to gain access to internal networks from which they’d escalate their attacks.
Tom Burt, Corporate Vice President of Customer Security & Trust at Microsoft, commented on the situation stating: “Based on victim information, the targets included government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues,” he added: “Most targets were based in the U.S., as well as Japan and South Korea.”
Burt stated that the main goal of these attacks was to infect victims with malware such as KimJongRAT and BabyShark, remote access trojans which gave hackers access to people’s systems. “Once installed on a victim’s computer, this malware exfiltrates information from it, maintains a persistent presence and waits for further instructions,” Burt said.
Microsoft has previously used court orders to hinder the operations of hacking groups. A similar approach was used 12 times against Russian hacking group Strongium (APT28, Fancy Bear) taking down 84 of their domains. Similar court orders were used to seize 99 domains used by Phosphorus (APT35), an Iran-linked cyber-espionage group.