Microsoft seizes dozens of malicious domains used by North Korea-linked hacker group 'Thallium'

Thallium is the fourth nation-state group that the software giant has taken action against in recent years

Microsoft has seized 50 web domains that were being used by North Korea-linked hacking group 'Thallium'.

The company announced on Monday that a US District Court had given it permission it to lock down dozens of malicious domains used by the group to target government officials, peace workers, university staff members, human rights organisations and activists, and nuclear scientists in efforts to steal sensitive data from their systems.

Thallium is the fourth nation-state group that the software giant has taken action against in recent years. Earlier in 2019, Microsoft took action against the Strontium, Barium and Phosphorus groups that are alleged to operate out of Russia, China, and Iran, respectively.

It's critical that governments and the private sector are increasingly transparent about nation-state activity

Microsoft's Digital Crimes Unit had been gathering information on Thallium for several months to determine the extent of its network. The company also launched a case against Thallium in the US District Court for the Eastern District of Virginia to try and stop the group's operations.

As per Microsoft, attackers used the network of malicious domains "to target victims and then compromise their online accounts, infect their computers, compromise the security of their networks and steal sensitive information."

The majority of the victims of Thallium's operations were based in South Korea, Japan, and the USA, Microsoft said.

To trick users into disclosing their login credentials, the group sent spear-phishing emails that appeared to come from Microsoft (or other reputed firms). After gaining access to victim's credentials, the attackers could easily access emails, contact lists, and other sensitive data belonging to the user.

"Thallium often also creates a new mail forwarding rule in the victim's account settings," said Tom Burt, Microsoft's vice president for customer security and trust.

"This mail forwarding rule will forward all new emails received by the victim to Thallium-controlled accounts. By using forwarding rules, Thallium can continue to see email received by the victim, even after the victim's account password is updated," he added.

The attackers also used malware that they could control remotely to maintain a 'persistent presence' on compromised systems.

In the past, they have used known malware, labelled KimJongRAT and BabyShark, according to Microsoft.

"We think it's critical that governments and the private sector are increasingly transparent about nation-state activity so we can all continue the global dialogue about protecting the internet," Burt stated.

"We also hope publishing this information helps raise awareness among organisations and individuals about steps they can take to protect themselves."