Microsoft pins down another Nation-State Hacker group
Dubbed Thallium, the North Korean backed group was involved in deploying massive malicious cyber activity
We live in the information age where conventional wars have given way to cyberwarfare. Being the most wired country in the World, the U.S receives the brunt of attacks from hackers & other nefarious players online. With the recent escalation of the geopolitical tensions in the Middle Eastern region, we may see an increase in such attacks from Iranian hackers on the online U.S targets.
Talking about specific targets, Microsoft Office suite is the most widely used software around the world, and is also the favorite target for hackers offering the most vulnerability. According to a recent report by Kaspersky Lab for Q3 2019, Over 70% of the total complaints received by Kaspersky were related to applications within Microsoft Office (figure below).
Microsoft’s Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) had recently been tracking the activity of one such hacker group Thallium — finally figuring out that the group was running a network of websites, domains & internet-connected computers for its malicious activities. Enabled by court order, Microsoft was able to take down 50 domains that Thallium was using to conduct its nefarious activities.
The network was targeting victims with a combination of spear-fishing and malware — where the first involves tricking people into clicking on malicious links where they are asked to input personal information, while the latter involves installing malicious code on victim’s computer compromising systems and stealing data. The malware maintains its presence waiting for further instructions from a third party server controlling it.
The typical mode of attack by Thallium is spear-fishing where they first gather personal information of targeted individuals from their public profiles on platforms like social media profiles & other public directories etc. before shooting out a “credible” looking email to them (Figure 2 below). However, a closer inspection of such a message reveals the discrepancies — look how the “r” and “n” (underlined in red) are made to look like the “m” in microsoft.com.
Once the victims click on the fake link, they are taken to a fraudulent website that asks you for your login credentials. After Thallium has your login details, they can log into your accounts and look into your emails, contacts, appointment & other personal information.
They also create a mail forwarding rule in your email account settings, where all your emails are forwarded to Thallium controlled accounts. The forwarding rule will need to be deleted otherwise they will keep receiving your emails even if you change the password.
According to Microsoft’s blog, targets for these cyber attacks included government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues — mostly based in the U.S, Japan & South Korea. The malware employed by Thallium to compromise the targeted systems is called “BabyShark” and “KimJongRAT.”
This is the fourth such nation-state activity group against which Microsoft had to opt for legal action to take down their malicious network infrastructure. The other three groups disputed by Microsoft included Barium from China, Strontium from Russia & Phosphorus from Iran.
In similar news, Kaspersky has released another report which suggests that Lazarus — a well-known hacker group which is also believed to have ties with the North Korean dictatorship is using the privacy-centric messaging app Telegram to steal cryptocurrency.
While Microsoft has pledged to increase the security of its products from the knowledge they gained from Thallium, there are things that you can do to protect yourself — use two-factor authentication on all your accounts, learn to identify phishing scams & enable alerts about links and files from suspicious websites.