Microsoft: Uncover the cyber-attack group
The tracking procedure of the Microsoft Digital Crimes Unit (DCY) about a hacking campaign targeting Windows users, has been confirmed. Dissimilar to recent threats, this time the threat was a lot more personal.
DCU – along with the Microsoft Threat Intelligence Center (MSTIC) – has been observing an advanced persistent threat (APT) hacking group working on a large-scale criminal network to compromise accounts and steal data.
The group which has been doing these cyberattacks seems to be located in North Korea. The group is named “Thallium” by Microsoft, and also known as APT37. The main targets of this threat group appear to be university staff, government employees, people working in nuclear proliferation issues, as well as world peace and human right.
The majority of targets have been found in the U.S but Microsoft confirmed that some individuals in Japan and Sout Korea have also been found themselves been in hacking crosshairs.
The attacks are confirmed in a December 30 posting by Tom Burt – corporate vice-president of customer security and trust at Microsoft.
“On December 27, a U.S district court opens up the documents presenting work Microsoft has performed to damage cyberattacks from a threat group we call Thallium,” he said.
“In addition to targetting user credentials, Thillium also utilizes malware to compromise systems and steals data,” he added.
A malware which known to include BabyShark and KimJongRAT, get installed on a Windows computer, it exfiltrates data. However, it acquires a persistent attack strategy, waiting patiently in the background for additional instructions from the hacking group.
The court order that Microsoft successfully pursued, authorized the company to take control of all those 50 internet domains that were being used by APT37 in link with their ongoing cyber-attack actions.
“With this action, the sites can no longer be used to carry out attacks,” Burt said.
It’s because, like so many reportedly state-sponsored APT hacking groups, Thallium employed what is known as a spear-phishing methodology to begin an attack.
Dissimilar to scatter gun phishing emails, which are given out to hundreds of thousands of people in the hope that some will take the bait, spear-phishing target particular people within organizations. These people have already been “scoped” by the attackers, using social media company directories, as well as other open-source intelligence (OSNIT) data, to have the authority to customize each phishing message to the relevant target.
To get saved from the attack for a Windows user:
- Enable two-factor authentication (2FA) on all email accounts.
- Tracing your email forwarding rule to find out if any attacker may have past your defenses to have copies of all the mails sent to them.