Microsoft took legal action against North Korean hacking group, Thallium for stealing sensitive data of its customers via sphere phishing attacks.
“Plaintiff MICROSOFT CORP. (“Microsoft”) hereby complains and alleges that JOHN DOES 1-2 (collectively “Defendants “), have established an
Internet-based cybertheft operation referred to as “Thallium.” Through Thallium defendants are engaged in breaking into the Microsoft accounts and computer networks of Microsoft’s customers and stealing highly sensitive information,” reads the complaint.
“To manage and direct Thallium, defendants have established and operate a network of websites, domains and computers on the internet, which they use to target their victims, compromise their online accounts, infect their computing devices, compromise the security of their networks and steal sensitive information from them,” Microsoft’s complaint says.
Thallium allegedly targets government employees, human rights organisations, university staff members and others working on nuclear proliferation issues.
“Our court case against Thallium, filed in the U.S District Court for the Eastern District of Virginia, resulted in a court order enabling Microsoft to take control of 50 domains that the group used to conduct in its operations,” said Tom Burt.
How does Thallium infect?
- The attackers select one employee from an organisation that uses Microsoft and finds that employee’s email address on the internet or from social media.
- Hackers contact the employee by sending emails through Gmail, Yahoo and Microsoft’s Hotmail, telling targets that there is a problem with their account.
- These email tricks the user to Thallium sites and giving their login credentials.
- Thallium then logs into target accounts and allow attackers to review emails, contact lists and other information, and sometimes creates a mailbox rule to forward emails to Thallium controlled email addresses, Microsoft says.
Most of the targets were based in the United States, as well as Japan and South Korea, the company said.
The Microsoft exec said that in many of these attacks, the end objective was to infect victims with malware, such as KimJongRat and BabyShark, two remote access trojans (RATs).
You may be interested in reading: ASP.NET Hit by Ransomware