According to Microsoft, Thallium conducted spear phishing campaigns and also leveraged malware to attack devices. Most of the group’s activity was focused on government employees and organizations such as universities and human rights groups. Targets were widespread across the United States, South Korean, and Japan (the three leading opposers to the North Korean regime). In terms of the spear phishing, Thallium hackers would utilize a fairly complicated attack method. Indeed, they would research targets by gathering data from social media and other resources. With this information, they would create a bespoke email that was personalized for the individual. “By tricking victims into clicking on the fraudulent links and providing their credentials, Thallium is then able to log into the victim’s account. Upon successful compromise of a victim account, Thallium can review emails, contact lists, calendar appointments and anything else of interest in the compromised account,” Tom Burt, Corporate Vice President, Customer Security & Trust, says. “This is the fourth nation-state activity group against which Microsoft has filed similar legal actions to take down malicious domain infrastructure. Previous disruptions have targeted Barium, operating from China, Strontium, operating from Russia, and Phosphorus, operating from Iran,” Burt adds.
Updates
Microsoft has already issued relevant security patches and updates to protect customers from Thallium’s attacks. The company is warning organizations to ensure they are up-to-date. Additionally, Microsoft says users should use two-factor authentication to better protect themselves.