Microsoft Seizes “Thallium” Domains and Sues the North Korean Hackers

Last updated September 28, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

As announced on Microsoft’s blog, the company has been granted approval to take control of domains belonging to North Korean hackers by the U.S. Virginia district court. The report claims that previous phishing attempts were linked with the threat group known as “Thallium”, which allegedly was behind a surge of attacks against corporate customers during last summer. Microsoft had circulated about 10000 notices back then, trying to mitigate the risk of the clients being tricked by the spear-phishing actors. Thallium is an expert in this technique, gathering key data about the victim and preparing a credible email with apparently legitimate content.

Once a single employee is tricked, Thallium would gain access to their account and then infiltrate deeper into the network or just keep on reviewing sensitive information that comes and goes through it. As Microsoft points out, Thallium also likes to plant malware onto the compromised systems, with “BabyShark” and “KimJongRat” being the main two strains used. Microsoft was able to track the actors and take control of about 50 domains that constituted Thallium’s infrastructure. Considering the expertise of these hackers, as well as their care in hiding their online tracks, this is far from easy. This is why other members of groups like the Strontium, Phosphorus, and Barium remain free and active even after they have been repelled and sued by Microsoft before. Similarly to Thallium’s fate though, MS is holding their past operation domains too.

Microsoft takes this chance to remind the public about the special dangers that these hacking groups pose to democracy, as they are targeting critical areas as well as democratic elections. As we move closer to the 2020 U.S. Presidential Elections, Microsoft ramps up their efforts to help protect the procedure with their “Election Guard” open-source SDK. As for the victims themselves, Microsoft suggests that all organizations should enable two-factor authentication wherever this is possible, learn how to spot phishing schemes and conduct training on the topic, and finally enable security alerts on all levels including vigorous email forwarding rules. Having done all of the above, and with Microsoft having their backs, malicious actors will have a much harder work in making their way inside critical corporate networks.

Do you think that there’s ever a chance to see hackers from these groups end up in court halls and getting convicting for their actions? Let us know of your thoughts in the comments down below, or on our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: