BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Transforming The Future Of Cybersecurity
FBI Issues New Warning As 2024 Gift Card Hackers Blitz Retailers
Apple Hacked Again—These 2 Hackers Can’t Stop Finding Security Flaws
Google Issues Update Now Warning For 2 Billion Chrome Users
Dell Confirms Database Hacked—Hacker Says 49 Million Customers Hit
iOS 18—Apple’s New AI Security Move Will Transform Your iPhone Forever
Edit Story
ForbesInnovationCybersecurity
Editors' Pick

Windows Hack Attackers Confirmed As Microsoft Responds With Powerful Counterpunch

Davey Winder
Senior Contributor
Opinions expressed by Forbes Contributors are their own.
Veteran cybersecurity and tech analyst, journalist, hacker, author
Following
This article is more than 4 years old.

It has been confirmed that the Microsoft Digital Crimes Unit (DCU) has been tracking a hacking campaign against Windows users. Unlike recent threats involving zero-day vulnerabilities facing Windows users, this time the danger is a lot more personal.

Along with the Microsoft Threat Intelligence Center (MSTIC), the DCU has been monitoring an advanced persistent threat (APT) hacking group operating an extensive criminal network to compromise accounts and steal data.

Who is behind the Microsoft Windows attack campaign?

The threat group behind these cyber-attacks is thought to be based in North Korea and has been named as "Thallium" by Microsoft. The hacking group appears to have been targeting government employees, university staff, those working on nuclear proliferation issues, as well as world peace and human right. The majority of those targeted were based in the U.S. but Microsoft has confirmed individuals in Japan and South Korea also found themselves in the hacking crosshairs.

Tom Burt, corporate vice-president of customer security and trust at Microsoft, confirmed the attacks in a December 30 posting. "On December 27, a U.S. district court unsealed documents detailing work Microsoft has performed to disrupt cyberattacks from a threat group we call Thallium," Burt said, "in addition to targeting user credentials, Thallium also utilizes malware to compromise systems and steal data." Once that malware, known to include BabyShark and KimJongRAT, is successfully installed on a compromised Windows computer, it exfiltrates data. However, it also adopts a persistent attack strategy, waiting patiently in the background for further instructions from the hacking group.

Microsoft takes state-sponsored hacker group to court

The court order that Microsoft successfully sought, enabled the company to take control of a total of 50 internet domains that were being used by Thallium in connection with their ongoing cyber-attack operations. "With this action, the sites can no longer be used to execute attacks," Burt said.

MORE FOR YOU

The Best Mattress For Couples Regardless Of Your Sleep Styles

WWE SmackDown Results Winners And Grades On May 10 2024

The 8 Best Trampolines With Insights From An Industry Expert

That's because, like so many allegedly state-sponsored APT hacking groups, Thallium employed what is known as a spear-phishing methodology to initiate an attack. Unlike scattergun phishing emails that are distributed to hundreds of thousands of people in the hope that a few will take the bait, spear-phishing targets specific individuals within organizations. These individuals will already have been "scoped" by the attackers, using social media and company directories, as well as other open-source intelligence (OSINT) data, to be able to customize each phishing message to the relevant target.

Spear-phishing explained

"Thallium is able to craft a personalized spear-phishing email in a way that gives the email credibility to the target," Burt said, "the content is designed to appear legitimate, but closer review shows that Thallium has spoofed the sender by combining the letters r and n to appear as the first letter m in microsoft.com." Hence the reason that Microsoft took legal action to be able to take down the domains being used by the attackers.

This isn't the first time that Microsoft has resorted to a powerful legal counterpunch in the face of well-organized, state-sponsored attack groups. Indeed, Burt confirmed that the action against Thallium was the fourth such group it has targeted in this way. "Previous disruptions have targeted Barium, operating from China, Strontium, operating from Russia, and Phosphorus, operating from Iran," Burt said. By taking down hundreds of domains in this way, Microsoft can make the Windows ecosystem more secure for everyone.

Tackling state-sponsored hack attacks

However, Burt also acknowledged that there is more to be done. "We think it’s critical that governments and the private sector are increasingly transparent about nation-state activity so we can all continue the global dialogue about protecting the internet," Burt said, "We also hope publishing this information helps raise awareness among organizations and individuals about steps they can take to protect themselves."

How can Windows users protect themselves from attack?

Talking of which, mitigation measures that users of Windows should take include enabling two-factor authentication (2FA) on all email accounts, both business and personal. Keeping an eye on your email forwarding rules is also recommended to spot any attacker that may have got past your defenses to have copies of all mail sent to them. Microsoft itself has an excellent phishing awareness guide for users of Office 365. You might also want to read my tutorial on how to secure Microsoft Windows in eight easy steps.

Follow me on Twitter or LinkedInCheck out my website or some of my other work here
Davey Winder
Davey Winder
Following