Microsoft announced today that it successfully took down 50 web domains previously used by a North Korean government-backed hacking group.
The OS maker said the 50 domains were used to launch cyberattacks by a group the company has been tracking as Thallium (also known as APT37).
Microsoft said the Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) teams have been monitoring Thallium for months, tracking the group’s activities, and mapping its infrastructure.
On December 18, the Redmond-based company filed a lawsuit against Thallium in a Virginia court. Shortly after Christmas, US authorities granted Microsoft a court order, allowing the tech company to take over 50 domains that the North Korean hackers have been using as part of their attacks.
The domains were used to send phishing emails and host phishing pages. Thallium hackers would lure victims on these sites, steal their credentials, and then gain access to internal networks, from where they’d escalate their attacks even further.
Microsoft said that besides tracking Thallium’s offensive operations, it also tracked infected hosts.
“Based on victim information, the targets included government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues,” said today Tom Burt, Corporate Vice President of Customer Security & Trust at Microsoft.
“Most targets were based in the U.S., as well as Japan and South Korea,” Burt added.
The Microsoft exec said that in many of these attacks, the end goal was to infect victims with malware, such as KimJongRAT and BabyShark, two remote access trojans (RATs).
“Once installed on a victim’s computer, this malware exfiltrates information from it, maintains a persistent presence and waits for further instructions,” Burt said.
This is not the first time when Microsoft used a court order to hinder the operations of foreign government-backed hacking groups.
Microsoft used this approach 12 times against a Russian group known as Strontium (APT28, Fancy Bear), successfully taking down 84 domains — the last time being in August 2018.
It also used a court order to seize 99 domains operated by Phosphorus (APT35), an Iran-linked cyber-espionage outfit.
Microsoft also used court orders to disrupt the operations of Barium, a Chinese government-backed hacking group, although details about these actions are a little bit light.