Microsoft takes action against fourth nation-state cybercrime group

    Microsoft takes action against fourth nation-state cybercrime group

    Microsoft takes action against fourth nation-state cybercrime group

    Posted: 30 Dec 2019
    On December 27, a U.S. district court unsealed documents detailing work Microsoft has performed to disrupt cyberattacks from a threat group we call Thallium, which is believed to operate from North Korea. Our court case against Thallium, filed in the U.S. District Court for the Eastern District of Virginia, resulted in a court order enabling Microsoft to take control of 50 domains that the group uses to conduct its operations. With this action, the sites can no longer be used to execute attacks.

    Microsoft’s Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking and gathering information on Thallium, monitoring the group’s activities to establish and operate a network of websites, domains and internet-connected computers. This network was used to target victims and then compromise their online accounts, infect their computers, compromise the security of their networks and steal sensitive information. Based on victim information, the targets included government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues. Most targets were based in the U.S., as well as Japan and South Korea.

    Like many cybercriminals and threat actors, Thallium typically attempts to trick victims through a technique known as spear phishing. By gathering information about the targeted individuals from social media, public personnel directories from organizations the individual is involved with and other public sources, Thallium is able to craft a personalized spear-phishing email in a way that gives the email credibility to the target. As seen in the sample spear-phishing email below, the content is designed to appear legitimate, but closer review shows that Thallium has spoofed the sender by combining the letters “r” and “n” to appear as the first letter “m” in “”

    The link in the email redirects the user to a website requesting the user’s account credentials. By tricking victims into clicking on the fraudulent links and providing their credentials, Thallium is then able to log into the victim’s account. Upon successful compromise of a victim account, Thallium can review emails, contact lists, calendar appointments and anything else of interest in the compromised account. Thallium often also creates a new mail forwarding rule in the victim’s account settings. This mail forwarding rule will forward all new emails received by the victim to Thallium-controlled accounts. By using forwarding rules, Thallium can continue to see email received by the victim, even after the victim’s account password is updated.

    In addition to targeting user credentials, Thallium also utilizes malware to compromise systems and steal data. Once installed on a victim’s computer, this malware exfiltrates information from it, maintains a persistent presence and waits for further instructions. The Thallium threat actors have utilized known malware named “BabyShark” and “KimJongRAT.”

    This is the fourth nation-state activity group against which Microsoft has filed similar legal actions to take down malicious domain infrastructure. Previous disruptions have targeted Barium, operating from China, Strontium, operating from Russia, and Phosphorus, operating from Iran. These actions have resulted in the takedown of hundreds of domains, the protection of thousands of victims and improved the security of the ecosystem.

    As we’ve said in the past, we believe it’s important to share significant threat activity like that we’re announcing today. We think it’s critical that governments and the private sector are increasingly transparent about nation-state activity so we can all continue the global dialogue about protecting the internet. We also hope publishing this information helps raise awareness among organizations and individuals about steps they can take to protect themselves.

    Microsoft applies the knowledge we have collected from tracking Thallium activity to add protections for our customers in all of our security products. You can protect yourself from these types of attacks in at least three ways. We recommend, first, that you enable two-factor authentication on all business and personal email accounts. Second, learn how to spot phishing schemes and protect yourself from them. Third, enable security alerts about links and files from suspicious websites and carefully check your email forwarding rules for any suspicious activity.


    Brink's Avatar Posted By: Brink
    30 Dec 2019

  1. mta3006's Avatar
    Posts : 956
    W10 Pro v1903

    Way to go, MS!
      My Computers

  2. Cliff S's Avatar
    Posts : 25,648
    Win10 Pro, Win10 Pro N, Win10 Home, Windows 8.1 Pro, Ubuntu

    Falling for spearfishing and spoofing chances can be reduced if you get yourself a Windows Hello device, like my Logitech BRIO webcam and use Edge(Chromium Edge too) as your default browser: Set Up Windows Hello to Sign in to Microsoft Account in Microsoft Edge

    If the sign in then doesn't work or you don't get offered these options, Microsoft takes action against fourth nation-state cybercrime group-image.png

    you know to go manually to your account page by either this link:
    But wait that "m" can be tricky can't it?
    Then go to settings\accounts\your info and click "Manage my Microsoft account"

    Microsoft takes action against fourth nation-state cybercrime group-image.png
      My Computers

  3. jimbo45's Avatar
    Posts : 10,559
    Windows / Linux : Arch Linux

    Hi there

    Sentiment is good -- but you might as well tell Foxes to stop attacking Chickens etc -- Laws like this without any serious international co-operation to enforce these and without serious meaningful punishments and dubious extradition schemes are just Lawyers fests. Is North Korea going to hand anybody over to the USA -- C'mon peeps just get real.

    Without getting into the realm of Politics too much it just seems nations are backing more and more away from what could be good International organisations to help enforce these things -- e.g USA from a lot of global commitments, America Free trade zone, UK from the EU, Turkey more and more away from NATO etc etc.

    These organisations of course aren't perfect but co-operation is much better than attempting this alone -- and when the chances of getting caught are very small and even if you do the chances of serious punishment are about zero, plus enormous amounts of money to be made -- well there you have it.

    Typical example of "Law of unintended consequences". --UK worried about illegal immigrants crossing from France to UK -- so they get more Navy patrol boats -- what happens -- not difficult to guess -- more people than ever go out in rickety boats to get picked up on a Free Ferry service provided by Her Majesty's Royal Navy to be taken to the UK.

    Not being harsh here but without serious International co-operation especially from big powerful countries like USA, Russia, China etc this stuff will continue and the only beneficiaries are theLawyers and the perps themselves.

    Then also as a further conspiracy theory --if you removed all computer threats -- what would happen to the huge cyber protection industry -- computer security people --hardware / software / NSA, CIA etc etc -- 100,000's out of work !!!!!

    Remember the IBM anti trust suite years ago -- didn't make 1 dollars worth of difference in spite of massive fines being levied -- appeals went on for years and a load of Lawyers retired rich on their fees.

      My Computer


  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 17:13.
Find Us

Windows 10 Forums