Microsoft gets a ruling from a US district court enabling it to take control of 50 domains that the threat group Thallium uses to conduct its operations. The technology giant was able to disrupt cyberattacks from the group believed to be operating from North Korea, according to its media advisory.
Microsoft’s Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) followed Thallium’s activities which include using a network of websites and domains to target victims. The attacks range from compromising online accounts, illegally obtaining information, and infecting networks.
The Microsoft team also found out that the threat group spreads malware called BabyShark and KimJongRAT “to compromise systems and steal data.”
According to Microsoft, Thallium is the fourth nation-state activity group that it has filed legal actions to take down the malicious domain. The screenshot below (provided by Microsoft on its blog) shows how the group uses spearphishing to trick users into clicking on the malicious links. The domain name combined the letter “r” and “n” to make it appear “m.” Unsuspecting victims could easily fall for this trick.
The news advisory also said “previous disruptions have targeted Barium, operating from China, Strontium, operating from Russia, and Phosphorus, operating from Iran. These actions have resulted in the takedown of hundreds of domains, the protection of thousands of victims and improved the security of the ecosystem.”
From what Microsoft gathered, Thallium has targeted government employees, government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues, that are based in Japan, South Korea, and the United States.