Microsoft has revealed that a hacking group called “Thallium” which is believed to be operating from North Korea targeted government employees, think tanks, university staff members and individuals working on nuclear proliferation issues to steal information.
The company said that the Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) teams have been monitoring Thallium for months, tracking the group’s activities, and mapping its infrastructure.
A few days ago, the company filed a lawsuit against Thallium in a Virginia court and shortly after that, the US authorities granted Microsoft a court order which has allowed the tech company to take over 50 domains that hackers have been using as part of their attacks.
Tom Burt, Corporate Vice President of Customer Security & Trust at Microsoft said: “Based on victim information, the targets included government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues.”
While the targeted users are from the U.S., Japan, and South Korea, most of them are based in the United States. Explaining the attacked, Microsoft revealed in a blog post that the hacker group Thallium tricked victims through a technique known as “spear phishing”, using credible-looking emails that appear legitimate at first glance.
The Microsoft executive said that in many of these attacks, the end goal was to infect victims with malware, such as KimJongRAT and BabyShark, two remote access trojans (RATs). This malware exfiltrates information from the system, maintains a persistent presence and waits for further instructions.
Microsoft said Thallium was the fourth nation-state hacking group against which it filed legal actions to take down the infrastructure they use to carry out cyberattacks.