Microsoft Takes North Korean Hacking Group Thallium to Court
December 30: Microsoft sued a cyber-espionage group with North Korean links tracked as Thallium for breaking into its customers’ accounts and networks via spear-phishing attacks with the end goal of stealing sensitive information, as shown by a complaint unsealed on December 27.
“To manage and direct Thallium, Defendants have established and operate a network of websites, domains, and computers on the Internet, which they use to target their victims, compromise their online accounts, infect their computing devices, compromise the security of their networks, and steal sensitive information from them,” Microsoft’s complaint says.
The lawsuit was filed by Microsoft on December 18 in the U.S. District Court for the Eastern District of Virginia, as first reported by Bloomberg Law’s Blake Brittain.
Microsoft has stated, “the precise identities and locations of those behind the activity are generally unknown but have been linked by many in the security community to North Korean hacking group or groups.”
According to Microsoft, Thallium targets both public and private industry targets and it has been observed while previously attacking “government employees, organizations and individuals that work on Nuclear Proliferation issues, think tanks, university staff members, members of organizations that attempt to maintain world peace, human rights organizations, as well as many other organizations and individuals.”
The North Korean hackers are also believed to have been active since at least 2010 according to Redmond’s complaint, and it is known for being behind spear-phishing attacks they operate via legitimate services such as Gmail, Yahoo, and Hotmail.
A list of 50 domains used by Thallium in their attacks and taken down by Microsoft on a court order is available in Appendix A of the complaint.
“Our court case against Thallium, filed in the U.S. District Court for the Eastern District of Virginia, resulted in a court order enabling Microsoft to take control of 50 domains that the group uses to conduct its operations,” said Tom Burt, Microsoft’s Corporate Vice President of Customer Security & Trust, in a blog post after this article was published.
“With this action, the sites can no longer be used to execute attacks,” Burt added.
Behind the STOLEN PENCIL APT campaign
Netscout’s ATLAS Security Engineering & Response Team (ASERT) also tracks one of the North Korean hacking group’s campaigns as STOLEN PENCIL.
According to Netscout, the hackers’ STOLEN PENCIL APT campaign has been targeting academic institutions since at least May 2018 in spear-phishing attacks with the end goal of stealing credentials.
Based on several shared resources, Palo Alto Networks’ Unit42 also linked Thallium’s STOLEN PENCIL campaign with a malware dubbed BabyShark and delivered as part of a spear-phishing campaign focused “on gathering intelligence related to Northeast Asia’s national security issues,” starting with November 2018.
“Well-crafted spear phishing emails and decoys suggest that the threat actor is well aware of the targets, and also closely monitors related community events to gather the latest intelligence,” Unit42 said.
“While not conclusive, we suspect that the threat actor behind BabyShark is likely connected to the same actor who used the KimJongRAT malware family, and at least shares resources with the threat actor responsible for the STOLEN PENCIL campaign.”
Samples of the KimJongRAT malware were observed dating back to 2010. The BabyShark malware is frequently sent to users as a malicious attachment to an email. The malware will drop a file with the file extension That file will then send a command that will beacon out to obtain an encoded script that is delivered back to the victim computer. – Microsoft
Microsoft confirmed these links in their Thallium complaint, saying that “in addition to targeting user’s credentials, the Thallium defendants also utilize malware the most common being indigenous implants named ‘BabyShark’ and ‘KimJongRAT’ to compromise systems and steal data from victim systems.”
“The Thallium defendants use misleading domains and Microsoft’s trademarks to cause victims to click on the links that result in installation of this malware on the victims’ computers,” Microsoft adds.
“Once installed on a victim’s computer, this malware exfiltrates information from the victim computer, maintains a persistent presence on the victim computer, and waits for further instructions from the Thallium.”
Attacks targeting Microsoft customers
The North Korean state-sponsored Thallium was also previously mentioned by Redmond in July when the company said that it notified around 10,000 of its customers during the past year of being targeted or compromised by several other nation-state backed threat groups.
“About 84% of these attacks targeted our enterprise customers, and about 16% targeted consumer personal email accounts,” said Microsoft Corporate Vice President for Customer Security & Trust, Tom Burt at the time.
Other APT groups from Iran and Russia were also found to be behind these nation-state attacks against Microsoft customers, with threat actors such as Holmium and Mercury operating from Iran and two actors operating from Russia tracked Yttrium and Strontium (aka Fancy Bear or APT28) leaving their prints around some of these malicious campaigns.
While observing cyber-espionage campaigns, Microsoft detected attacks targeting the 2016 U.S. presidential election and the last French presidential elections, with U.S. senatorial candidates also being targeted in 2018 by the Russian-backed Strontium hacking group.
Seizing Phosphorus and Fancy Bear domains
“This is the fourth nation-state activity group against which Microsoft has filed similar legal actions to take down malicious domain infrastructure. Previous disruptions have targeted Barium, operating from China, Strontium, operating from Russia, and Phosphorus, operating from Iran,” Burt added.
“These actions have resulted in the takedown of hundreds of domains, the protection of thousands of victims and improved the security of the ecosystem.”
The Microsoft Threat Intelligence Center (MSTIC) previously spotted the state-sponsored Iranian cyber-espionage group they track as Phosphorus (aka APT35, Charming Kitten, or Ajax Security Team), a group which attempted to gain account info on over 2,700 customers, attack 241 of them, and eventually compromised four of the attacked accounts between August and September.
Microsoft’s Digital Crimes Unit was able to block some of Phosphorus group’s cyber attacks by taking over infrastructure domains used as part of their core operations, as court documents unsealed in March show.
By seizing 99 domains of their domains, Microsoft took over parts of the hacking group’s operations and redirected traffic from infected devices to its sinkholes, thus collecting important info on the hacking group’s activity.
The company also previously filed 15 similar cases against Strontium in August 2018, which later led to the seizure of 91 of their domains.
