Microsoft takes legal action against North Korean cybercrime group

by Maggie Miller - 12/30/19 4:39 PM ET

Microsoft on Monday announced that it has taken legal action against a North Korean-based cybercrime group that was using websites and other domains to attack individuals and companies in the U.S., South Korea and Japan.

Tom Burt, the corporate vice president of consumer security and trust at Microsoft, wrote in a blog post that a case filed with the U.S. District Court for the Eastern District of Virginia, unsealed last week, allowed Microsoft to take control of 50 domains controlled by the group as well as halt cyberattacks.

Burt wrote that the cybercrime group, known as Thallium, used a network of websites, domains and internet-connected computers to target and steal the personal information of government and university employees, think tanks, organizations focused on human rights and world peace, and individuals working in the field of nuclear proliferation.

The cybercrime group would compromise the online accounts of victims by sending “spear phishing” emails and would then infect their computers and steal sensitive information.

“Thallium typically attempts to trick victims through a technique known as spear phishing,” Burt wrote. “By gathering information about the targeted individuals from social media, public personnel directories from organizations the individual is involved with and other public sources, Thallium is able to craft a personalized spear-phishing email in a way that gives the email credibility to the target.”

The fake email would encourage the victim to input their email user credentials, which would give the cybercriminals access to their accounts. Thallium also used malware viruses to infect the victim’s computer system, which, once installed, could steal data and send it to the attackers.

“As we’ve said in the past, we believe it’s important to share significant threat activity like that we’re announcing today,” Burt wrote. “We think it’s critical that governments and the private sector are increasingly transparent about nation-state activity so we can all continue the global dialogue about protecting the internet.”

Burt strongly encouraged all Microsoft customers to enable two-factor authentication on their email accounts, enable security alerts and learn more about email phishing campaigns in order to prevent similar attacks.

The legal action taken against Thallium marks the fourth time Microsoft has taken action against international cybercrime groups.

The company has previously raised awareness about and targeted cybercrime groups linked to China, Russia and Iran, including announcing in October that an Iranian group known as Phosphorus had targeted the reelection campaign of President Trump along with attempting to compromise thousands of other Microsoft accounts.