- The seized web domains were used to send phishing emails and host phishing pages.
- The victims included government employees, think tanks, university staff members, members of organizations related to human rights and that worked on nuclear proliferation issues.
In a major crackdown, Microsoft has announced that it successfully took down 50 web domains operated by the North Korea-based Thallium hacking group. These domains were used to launch cyberattacks from the group.
The APT group has been active since at least 2010 and Microsoft revealed that the hackers launched spear-phishing using legitimate services including Gmail, Yahoo, and Hotmail.
How was it tracked?
The OS maker disclosed that the Digital Crimes Unit (DCU) along with its Threat Intelligence Center (MSTIC) teams have been monitoring Thallium for months, tracking their activities and mapping their infrastructure.
Shortly after Christmas, Microsoft had taken over 50 domains with permission from the US authorities.
About the domains
The seized web domains were used to send phishing emails and host phishing pages. The hacker group would lure victims on these sites, steal their credentials, and then gain access to internal networks.
The victims included government employees, think tanks, university staff members, members of organizations related to human rights and that worked on nuclear proliferation issues. Microsoft’s investigation revealed that most of the targets were based in the U.S., Japan, and South Korea.
Many of these attacks were carried out with an aim to infect victims with malware such as KimJongRAT and BabyShark.
"Once installed on a victim's computer, this malware exfiltrates information from it maintains a persistent presence and waits for further instructions," added Microsoft, ZDNet reported.
Bloomberg Law has published the list of 50 domains used by Thallium in its cyberespionage campaigns.
This is not the first time when Microsoft used a court order to disrupt cyberespionage campaigns of foreign government-backed hacking groups. In July 2017, the company had tracked down the campaigns conducted by the infamous Fancy Bear APT hacking group.
In March 2019, Microsoft had announced that it had taken control of 99 domains used by an Iran-linked APT group tracked as Phosphorous.