Microsoft has confirmed a hacking attack against Microsoft users by a group believed to operate out of North Korea, the tech giant said in a blog post Monday.
The company said it is suing the hacking group, which it calls Thallium, in U.S. courts, and won a court order that enabled the company to take control of 50 domains the group used to conduct its hacking.
Microsoft said its Digital Crimes Unit and Threat Intelligence Center have been tracking and gathering information on Thallium, which included monitoring their activities to establish and operate a network of websites, domains and internet-connected computers.
The network was used to target government officials, think tanks, universities, world peace and human rights organizations and nuclear proliferation experts. Most attacks were focused on people in the U.S., but some were in Japan and South Korea, Microsoft said.
Thallium used a tactic called spear phishing, which entails gathering information about individuals from public sources like social media and staff lists to craft a personalized spear-phishing email designed to appear legitimate. For example, Thallium would send emails claiming to be from Microsoft, but the sending address was spoofed by combining the letters “r” and “n” to appear as the first letter in Microsoft’s domain.
The email contained a link that redirects a user to a website that requests account information, allowing Thallium to access their account, view emails, contact lists, appointment and other data. The group even created a new mail forwarding rule that forwarded all emails sent to the victim to Thallium-controlled accounts, allowing the group to access emails even after a password change.
Microsoft called Thallium the fourth known nation-state hacking group to face legal action. Previous groups operated out of China, Russia and Iran.
“These actions have resulted in the takedown of hundreds of domains, the protection of thousands of victims and improved the security of the ecosystem,” the company said in the post.
Microsoft recommends it users enable two-factor authentication on all accounts, learn how to spot phishing schemes and enable security alerts about links and files from suspicious websites and check email forwarding rules for suspicious activity.
Leave a Reply