Microsoft seizes 50 domains controlled by North Korean hackers targeting US, Japan and South Korea

The 50 domains controlled by North Korean hacking group, targetted victims mostly from US, Japan and South Korea

The tech giant Microsoft has announced that it was able to identify almost 50 domains which were previously used by North Korea backed hacking group (APT37) and now took them down. The firm said that these domains were used to launch cyberattacks by hackers.

The experts from the Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been monitoring the group, which is also called Thallium, for months. The team of researchers tracked the activities of the group and understood its infrastructure.

North Korean hacking group

Thallium is actually a hacking group that appears to be associated with the North Korean military. It has apparently launched attacks against Western diplomatic and national security entities concerned with Pyongyang's ambitions for years.

Microsoft has filed a lawsuit against the group in a Virginia court on Dec. 18, following which the US authorities allowed the tech company to take down all the 50 domains, which were used to send phishing emails and host phishing pages that the North Korean hackers have been using to conduct cyber attacks.

Microsoft Reuters

Microsoft investigation

As per the experts, the North Korean hackers would have targeted the victims on these 50 sites. Thallium hackers would have stolen the credentials of the victims and then gained access to internal networks. Microsoft stated that they have tracked this offensive operation of these hacking group along with the infected hosts.

Corporate Vice President of Customer Security & Trust at Microsoft, Tom Burt stated that the hackers targeted mainly the "government employees, think tanks, university staff members, members of organizations focused on world peace and human rights and individuals that work on nuclear proliferation issues."

In many of these attacks, targets were based in US, Japan and South Korea, with the objective to infect victims with malware, such as KimJongRAT and BabyShark, two remote access trojans (RATs). In addition to this, Burt said, "Once installed on a victim's computer, this malware exfiltrates information from it, maintains a persistent presence and waits for further instructions."

Taking down malicious sites

It should be mentioned that earlier too Microsoft took legal actions, almost 12 times, against a Russian hacking group called Strontium (APT28, Fancy Bear) and took down 84 domains in 2018. The company also used court orders to subjugate 99 sites which were operated by an Iran-linked cybercriminal group, Phosphorus (APT35). Earlier, the tech giant also disrupted malicious operations of a Chinese government-backed hacking group, known as Barium.

North Korean hackers (Representational picture) Reuters

North Korean hackers

There were several cybersecurity incidents which were conducted by North Koreans hacking groups. Just after the Sony cybersecurity attack, another attack took place in 2015 on the Central Bank of Bangladesh, which was mentioned as one of the most sensational attacks linked to North Korean hackers. After this attack, the hacking group made off with $81 million.

As stated by Security Company Group-IB in 2017 the North Korean hackers were responsible for around 65 percent of all crypto exchange hacks. In 2018, India's Cosmos Bank was attacked by cybercriminals who gained $13.5 million and as per the reports, the culprits were from North Korea who again infiltrated the Bank of Chile's ATM network and siphoned off $10 million.

Related topics : Cybersecurity