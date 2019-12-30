Loading...

Microsoft announced today that it successfully removed 50 web domains previously used by a piracy group backed by the North Korean government.

The manufacturer of the operating system said that the 50 domains were used to launch cyber attacks by a group that the company has been tracking as Thallium (also known as APT37).

Microsoft said the teams of the Digital Crime Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been monitoring Thallium for months, following the group's activities and mapping its infrastructure.

On December 18, the Redmond-based company filed a lawsuit against Thallium in a Virginia court. Shortly after Christmas, US authorities granted Microsoft a court order, allowing the technology company to take more than 50 domains that North Korean hackers have been using as part of their attacks.

Domains were used to send phishing emails and host phishing pages. Thallium hackers would attract victims to these sites, steal their credentials and then gain access to internal networks, from where they would further escalate their attacks.

One of the phishing emails sent by Thallium

Image: Microsoft

Microsoft said that in addition to tracking Thallium's offensive operations, it also tracked infected hosts.

"Based on information from the victims, the objectives included government employees, expert groups, university staff members, members of organizations focusing on world peace and human rights, and people working on nuclear proliferation issues "said Tom Burt, corporate vice president of customer service today. Security and trust in Microsoft.

"Most of the goals were based in the United States, as well as in Japan and South Korea," Burt added.

The Microsoft executive said that in many of these attacks, the ultimate goal was to infect victims with malware, such as KimJongRAT and BabyShark, two remote access Trojans (RAT).

"Once installed on the victim's computer, this malware extracts information from it, maintains a persistent presence and awaits further instructions," Burt said.

Image: Palo Alto networks

This is not the first time that Microsoft uses a court order to hamper the operations of government-backed foreign piracy groups.

Microsoft used this approach 12 times against a Russian group known as Strontium (APT28, Fancy Bear), successfully eliminating 84 domains, the last time in August 2018.

He also used a court order to confiscate 99 domains operated by Phosphorus (APT35), a cyber espionage team linked to Iran.

Microsoft also used court orders to disrupt the operations of Barium, a piracy group backed by the Chinese government, although details about these actions are a bit clear.