Microsoft Takes Court Action Against Fourth Nation-State Cybercrime Group (Dec 30, 2019)
Microsoft has filed a court case against suspected North Korean group “Thallium”. The group typically utilize spear phishing as a method to compromise victim accounts, giving them access to calendar, contacts, and emails. The court's ruling has enabled Microsoft to take control of 50 domains the group has been using, meaning the group can no longer use these sites in attacks. Thallium, a suspected North Korean Advanced Persistent Threat (APT) group, have been active since at least 2010, targeting government, non-governmental organizations (NGO) and university employees using legitimate services such as Gmail, Hotmail and Yahoo. While stealing sensitive data, the group use the malware ‘BabyShark’ and ‘KimJongRAT’ in their attacks.
Recommendation: Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.