Microsoft responds to state-sponsored Windows hack attack with powerful counterpunch
LightRocket via Getty Images
It has been confirmed that the Microsoft Digital Crimes Unit (DCU) has been tracking an active hacking campaign against Windows users. Unlike recent threats involving zero-day vulnerabilities facing Windows users, this time the danger is a lot more personal.
Along with the Microsoft Threat Intelligence Center (MSTIC), the DCU has been monitoring an advanced persistent threat (APT) hacking group operating an extensive criminal network to compromise accounts and steal data.
Who is behind these Microsoft Windows hack attacks?
The threat group behind these cyber-attacks is thought to be based in North Korea and has been named as “Thallium” by Microsoft and is also known as APT37. The hacking group appears to have been targeting government employees, university staff, those working on nuclear proliferation issues, as well as world peace and human right. The majority of those targeted were based in the U.S. but Microsoft has confirmed individuals in Japan and South Korea also found themselves in the hacking crosshairs.
Tom Burt, corporate vice-president of customer security and trust at Microsoft, confirmed the hack attack in a December 30 posting. “On December 27, a U.S. district court unsealed documents detailing work Microsoft has performed to disrupt cyberattacks from a threat group we call Thallium,” Burt said, “in addition to targeting user credentials, Thallium also utilizes malware to compromise systems and steal data.” Once that malware, known to include BabyShark and KimJongRAT, is successfully installed on a compromised Windows computer, it exfiltrates data. However, it also adopts a persistent attack strategy, waiting patiently in the background for further instructions from the hacking group.
Microsoft takes state-sponsored hacker group to court
The court order that Microsoft successfully sought, enabled the company to take control of a total of 50 internet domains that were being used by APT37 in connection with their ongoing cyber-attack operations. “With this action, the sites can no longer be used to execute attacks,” Burt said.
That’s because, like so many allegedly state-sponsored APT hacking groups, Thallium employed what is known as a spear-phishing methodology to initiate an attack. Unlike scattergun phishing emails that are distributed to hundreds of thousands of people in the hope that a few will take the bait, spear-phishing targets specific individuals within organizations. These individuals will already have been “scoped” by the attackers, using social media and company directories, as well as other open-source intelligence (OSINT) data, to be able to customize each phishing message to the relevant target.
“Thallium is able to craft a personalized spear-phishing email in a way that gives the email credibility to the target,” Burt said, “the content is designed to appear legitimate, but closer review shows that Thallium has spoofed the sender by combining the letters r and n to appear as the first letter m in microsoft.com.” Hence the reason that Microsoft took legal action to be able to take down the domains being used by the attackers.
This isn’t the first time that Microsoft has resorted to a powerful legal counterpunch in the face of well-organized, state-sponsored attack groups. Indeed, Burt confirmed that the action against Thallium was the fourth such group it has targeted in this way. “Previous disruptions have targeted Barium, operating from China, Strontium, operating from Russia, and Phosphorus, operating from Iran,” Burt said. By taking down hundreds of domains in this way, Microsoft can make the Windows ecosystem more secure for everyone.
Tackling state-sponsored hack attacks
However, Burt also acknowledged that there is more to be done. “We think it’s critical that governments and the private sector are increasingly transparent about nation-state activity so we can all continue the global dialogue about protecting the internet,” Burt said, “We also hope publishing this information helps raise awareness among organizations and individuals about steps they can take to protect themselves.”
How can Windows users protect themselves from attack?
Talking of which, mitigation measures that users of Windows should take include enabling two-factor authentication (2FA) on all email accounts, both business and personal. Keeping an eye on your email forwarding rules is also recommended to spot any attacker that may have got past your defenses to have copies of all mail sent to them. Microsoft itself has an excellent phishing awareness guide for users of Office 365. You might also want to read my tutorial on how to secure Microsoft Windows in eight easy steps.