Microsoft has sought help from the courts to take down domains used by the North Korea-backed hacking group, Thallium (APT37). After securing the court order from the U.S. District Court for the Eastern District of Virginia, 50 that were being used by the hacking group to attack the United States have now been seized.
Microsoft’s Digital Crimes Unit (DCU) and Threat Intelligence Center (MSTIC) have been tracking the activity of the Thallium group for some time. The domains were being used to steal information and login credentials to give the hackers access to the computer systems of government agencies, research institutions, universities, and human rights organizations and activists.
The domains were primarily used as the web-based component of spear phishing attacks. Emails containing hyperlinks to the domains were sent in targeted attacks on organizations and individuals. The emails were personalized to maximize the chance of the target responding, using information taken from professional networking sites and social media channels. The emails spoofed Microsoft and warned users of unusual sign-in activity. The emails were highly convincing and difficult to identify as malicious. One tactic used by Thallium was to switch the m in Microsoft for an r and n, so the emails appeared to have been sent from the official Microsoft domain – i.e accountprotection.rnicrosoft.com
The links in the emails directed the targets to spoofed websites that collected Office 365 credentials. Those credentials were used to gain access to the targets’ email accounts. Email accounts contain a wealth of sensitive information, along with contact details which can be used in further spear phishing attacks. Malware was also downloaded to allow continuous access to victim’s computers. The Thallium group was known to have used the KimJongRAT and BabyShark malware. According to Microsoft, mail forwarders were also set up so the attackers could keep tabs on key individuals and continue to steal sensitive data.
This is not the first time that Microsoft has taken action against threat groups by seizing domains. Microsoft has also sought help from the courts to take down domains used by threat groups backed by Iran (Phosphorus), Russia (Strontium), and China (Barium) in the past.