Microsoft Disrupts an Attack Launched by North Korean Hacker Group


Microsoft has disrupted an attack launched by a North Korean hacker group called Thallium. This follows multiple attempts by nation-state groups to attack the company but were detected along the way. According to the report, the North Korean hacker group employs a type of phishing technique to infect targets and steal sensitive information and offer them for sale on the dark web.

Recently, it was reported that a Chinese hacker group has also resumed operation using a similar technique to steal from victims.
According to Microsoft’s Corporate Vice President of Customer Security & Trust Tom Burt, the North Korean hacker group uses spear-phishing to attack victims to steal information from individuals and government employees that work on nuclear proliferation issues.

North Korean Hacker Group

Image Source:

Thallium resorted to spear-phishing to attack Microsoft because it is a more sophisticated version of phishing which impersonates an associate, a working colleague or service provider, to easily win their trust and force them to click on a malicious link that can steal their login credentials or infect their system with malware.

This type of attack usually targets the weakest link of a company’s security chain (employee) to convince them to click on the malicious link. Thallium has successfully used this technique to steal from a number of organizations in South Korea, Japan, and the US according to the report.

The spear-phishing technique used by the North Korean hacker group operates differently from the scattergun phishing emails that are known for distributing malicious emails to hundreds of individuals hoping that at least some of them may fall for the deception to click on the link. This type of attack used by the Thallium is launched on selected or targeted individuals.

The North Korean hackers do not only steal credentials but unleash malware which is said to include Babyshark and KimJongRAT to compromise window, and once installed, it exfiltrates data. It is also known to possess a persistent attack strategy which makes it wait silently in the background for instructions from the threat actors.

It was revealed that the North Korean hacker group gather information from the public personnel directories from organizations from which the individuals are involved with, information from social media and other public services. According to Tom Burt, the hackers were able to design a personalized email that looks like a genuine one to deceive the targets. An interesting revelation appeared when it was realized that the North Korean hackers had spoofed the target with “r” and “n” appearing as the first alphabet “m” in the Microsoft.

North Korean Hacker Group

Image Source:

This technique has been used on many occasions to deceive targets to give them access to the company’s system unaware.
Burt admitted that this phishing technique is an old one but very effective as it makes use of fake email addresses to lure targets. He further revealed that the attack from the North Korean hacker group is the fourth recorded attack from a nation-state group on Microsoft.

It was stated that the company has disrupted multiple attacks from hackers originating from Russia, China, and Iran. Burt clarified that previous disruptions were targeted by Strontium, originating from Russia, Barium, originating from China and Phosphorus, originating from Iran.

According to the report, Strontium from Russia has used a similar technique to target US government officials in the past. This technique was detected in the 2016 US presidential elections and the 2018 US midterm elections. Microsoft has also taken over phishing domains in the past which include “” and “”. This forced them to take down hundreds of domains, to improve the protection of thousands of people and also improve the protection of the ecosystem according to the report.

Microsoft took the state-sponsored hacker group to court of which the court ordered Microsoft to take control of the 50 domains linked to the ongoing cyber-attack operations as outlined by Burt. Burt clarified that the sites can no longer be used to execute attacks from the action taken.

Burt stated that despite their plausible effort to deal with this issue, there is more to be done. According to him, it is important for the government and the private sector to be more transparent about nation-state activity. According to him, this will have a positive impact on the global dialogue in protecting the internet.

It has been stated that window users can effectively protect themselves by enabling two-factor authentication on all their emails. Most hackers target emails as a gateway to infect computer systems with malware. Updating antivirus to the latest released update is another overlooked and a secured way of guiding oneself against the malicious attacks of hackers.

Source: Forbes

Disclaimer: does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation with the reliance on or usage of any content, goods or services mentioned in this article.

Tags: #deep_web_links #Tor_.onion_urls_directories #Deep_Web_Sites_Links #Dark_Web_Links_Hidden_Wiki #Dark_web_directories


Please enter your comment!
Please enter your name here