Microsoft Thwarts Spear Phishing Attack Believed to Originate From North Korea

Technology

Published: December 31, 2019 9:45 am

Last Updated: January 30, 2020 11:42 am

Microsoft Corp. (NASDAQ: MSFT) announced Monday that it had won a court order allowing the company to assume control of 50 domains used by a hacker group to attack targets in the United States, South Korea and Japan, among other nations. The group, known as Thallium, is believed to be based in North Korea and its targets included “government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues.”

The attacks, known as spear phishing, gathered personal user data from social media, public directories and other public sources and used the personal information to craft a realistic-looking email that directed recipients to a phony Microsoft website where users were tricked into providing personal information, including their usernames and passwords.

The hacker group then uses the harvested data to gather more personal information. Thallium also used malware to compromise systems and steal user and corporate data.

According to the Microsoft blog post announcing the court order, this is the fourth nation-state hacker group against which the company has filed similar charges and taken down domain names:

Previous disruptions have targeted Barium, operating from China, Strontium, operating from Russia, and Phosphorus, operating from Iran. These actions have resulted in the takedown of hundreds of domains, the protection of thousands of victims and improved the security of the ecosystem.

In August of 2018, Microsoft shut down six domains associated with the Strontium attacker group, also known as Fancy Bear or APT28. The judge in the case concluded that there was “good cause” to believe that Strontium is “likely to continue” seeking to disrupt November 2018 U.S. elections. Microsoft shut down 84 websites associated with this group.

The attack associated with the Iran-based group known as Phosphorus (or APT 35, Charming Kitten and Ajax Security Team), resulted in an order allowing Microsoft to shut down 99 malicious websites.