Microsoft revealed yesterday that it received permission to seize 50 domains used by Thallium, a threat group believed to operate from North Korea, via a court order issued by the U.S. District Court for the Eastern District of Virginia earlier this year.
The company said that its Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been "tracking and gathering information on Thallium" for some time. During that time, the group established a network of "websites, domains and internet-connected computers." Microsoft explained:
"This network was used to target victims and then compromise their online accounts, infect their computers, compromise the security of their networks and steal sensitive information. Based on victim information, the targets included government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues. Most targets were based in the U.S., as well as Japan and South Korea."
Thallium reportedly used a variety of spear-phishing attacks conducted via emails sent from the domains that have since been seized by Microsoft. Those emails contained links to websites that asked victims to sign in to their Microsoft Account. The attackers then used those credentials to access the accounts themselves.
Microsoft said Thallium could "review emails, contact lists, calendar appointments and anything else of interest in the compromised account." The group was also said to have created "a new mail forwarding rule in the victim’s account settings" that "will forward all new emails received by the victim to Thallium-controlled accounts."
That mail forwarding rule would allow Thallium to monitor their victim's email even if they lost access to the Microsoft Account itself. Some people might change their passwords to protect themselves, but how many would also go through their mail forwarding rules to make sure their messages weren't being sent elsewhere, too?
Microsoft's seizure of 50 domains used by Thallium won't totally disrupt the group's activities. It could always set up more domains, and it would likely take Microsoft a while to notice they were in use, let alone receive another court order to take them down. Actions like this interrupt threat groups; they don't actually end their efforts.