Thallium: An announcement from Microsoft stated on December 30th, 2019 that they had taken control of 50 domains linked to the North Korean hacking group called Thallium. The domains were being used maliciously through spear-phishing campaigns attempting to trick its victims into clicking on links to direct users to the malicious domains. In one case, the threat actor was seen replacing the “m” in Microsoft[.]com with an “r” and “n” visually tricking the users into thinking that they were going to the actual Microsoft domain. The main goal of the group is to compromise their online accounts, infect their computers, compromise the security of networks and steal sensitive information. Targets of this campaign included government employees, think tanks, university staff members, groups focused on human rights and individuals that work in the nuclear profession. The group used these techniques to steal account credentials using fake Microsoft login pages but would also deploy malware such as “BabyShark” and “KimJongRAT.”
Analyst Notes
Microsoft has taken this course of action before against four other nation-state groups. By legally taking control of the domains, there is nothing that the threat groups can do to get them back and will need to restart the campaign from the beginning. Enabling Two-Factor Authentication is one of the easiest ways to stop credential-stealing attacks because even if the password for the account gets compromised, the attacker would need to find a way to compromise the Two-Factor Authentication as well. Companies should also train employees on how to spot phishing emails and empower their employees to report suspected phishing to their company’s IT security department. Organizations must understand how these emails are being compiled and generated. By using company directories, threat actors can cross-reference employees to social media websites to gather information and personalize the emails. It is also important to know that when accounts are leaked from places such as marketing databases, this increases the chance for employees to receive these emails from threat actors. Utilizing a service such as Binary Defenses Counterintelligence team to search for and report on leaked accounts is a great way to combat this, by alerting employees of the potential for phishing emails before they begin to attack the company. Binary Defense also provides monitoring and alerting to companies when a new domain name is registered that resembles the company’s domain name–providing another early warning of potential phishing or fake website creation activity by threat actors. The full blog post from Microsoft can be found here: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/
