Home Articles How Microsoft Took Down Thallium Hacking Group’s Malicious Websites

How Microsoft Took Down Thallium Hacking Group’s Malicious Websites


Recently, in a major crackdown Microsoft took down several web domains operated by Thallium hacking group. Read on to know more about it…

Recently, in a major crackdown Microsoft took down several web domains operated by Thallium hacking group. Several of the malicious attacks by hacking group were carried out with an aim to infect victims with malware such as KimJongRAT and BabyShark. “Once installed on a victim’s computer, this malware exfiltrates information from it maintains a persistent presence and waits for further instructions,” added Microsoft, ZDNet reported. Bloomberg Law has published the list of 50 domains used by Thallium in its cyberespionage campaigns.

Late December 2019, the US District Court for the Eastern District of Virginia unsealed documents related to a law suit filed by Microsoft against North Korea-linked cybercrime group Thallium. The suit was filed in Virginia because Thallium uses internet domains registered in this state. Hackers target Microsoft users by impersonating the company with the aim of stealing sensitive information. Thallium has been active since at least 2010.

The Crackdown
In a major crackdown, Microsoft has announced that it successfully took down 50 web domains operated by the North Korea-based Thallium hacking group. Microsoft was granted approval to do so by the US Virginia district court, following a case filed against the hacking group.

Thallium hacking group used malware to compromise systems and steal data. The seized web domains were used to launch cyberattacks from the group. The seized web domains were used to send phishing emails and host phishing pages. The hacker group would lure victims on these sites, steal their credentials, and then gain access to internal networks.

The victims included government employees, think tanks, university staff members, members of organizations related to human rights and that worked on nuclear proliferation issues. Microsoft’s investigation revealed that most of the targets were based in the U.S., Japan, and South Korea. According to Microsoft, the hackers were able to gain access to high-value computer networks and highly sensitive information.

The APT group has been active since at least 2010 and Microsoft revealed that the hackers launched spear-phishing using legitimate services including Gmail, Yahoo, and Hotmail.

Tracking Targets
Microsoft disclosed that the Digital Crimes Unit (DCU) along with its Threat Intelligence Center (MSTIC) teams have been monitoring Thallium for months, tracking their activities and mapping their infrastructure. Shortly after Christmas, Microsoft had taken over 50 domains with permission from the US authorities.

Previous Operations
The current crackdown is the fourth nation-state cybercrime group against which Microsoft has taken legal action. This is not the first time when Microsoft used a court order to disrupt cyberespionage campaigns of foreign government-backed hacking groups.

Microsoft had previously disabled false domains belonging to other nation-state cybercrime groups — the Chinese hacking group Barium and Russia’s cyber espionage group Strontium AKA Fancy Bear/APT28.

In July 2017, Microsoft had tracked down the campaigns conducted by the infamous Fancy Bear APT hacking group. In March 2019, Microsoft had announced that it had taken control of 99 domains used by an Iran-linked APT group tracked as Phosphorous.

Microsoft advices users to enable two-factor authentication whenever and wherever possible and to learn how to spot phishing schemes. It also suggests companies to organize training on the topic and to enable security alerts on all levels including vigorous email forwarding rules.


Please enter your comment!
Please enter your name here

4 + 6 =