Microsoft has announced that it took control over 50 domains previously owned by the North Korean Thallium group (APT37) and used for its operations.
Microsoft says that doing so its teams as Digital Crimes Unit (DCU) and Microsoft Threat Intelligence Center (MSTIC) have been monitoring Thallium for several months to understand its infrastructure.Microsoft’s Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking and gathering information on Thallium, monitoring the group’s activities to establish and operate a network of websites, domains and internet-connected computers”, — said Tom Burt, Corporate Vice President Microsoft in company’s blog.
Having collected enough data, Microsoft filed a lawsuit against Thallium in a Virginia court on December 18 last year. Last week, US officials officially allowed Microsoft to seize control of more than 50 domains of the North Korean hack group.
It is known that these domains were used to send phishing emails and to host phishing pages (where Microsoft brands and trademarks were fraudulently used). Hackers lured victims to these sites, stole credentials, and then gained access to their internal networks, continuing to develop attacks.
Microsoft also reports that in addition to tracking Thallium attacks, company experts monitor and examine infected hosts. So, most of the targets of the attackers were located in the United States, Japan and South Korea.
Judging by the data of the victims, they included government officials, think tanks, university staff, members of human rights organizations, as well as people involved in the proliferation of nuclear weapons”, — experts said.
According to Microsoft, often the ultimate goal of group attacks was to infect victims with such malware as RAT KimJongRAT and BabyShark. After installing it on victim’s computer, the malware stole information, secured itself in the system, and then awaited further instructions from operators.
It is worth noting that this is not the first time that Microsoft fights with hackers through the courts. For example, in 2018, Microsoft experts applied this tactic to take control of 84 domains of the hacker group APT28, also known as Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit and Tsar Team.
Also recall that Microsoft talked about Russian hackers that they tried to attack various anti-doping agencies in anticipation of the Olympic Games in Tokyo.
