This will become very important as probably the most important election year in my lifetime (I know, this could be said about every election, but…) the need for cybersecurity is critical to the collective survival of the experiment named the United States of America.Personal emphasis.
On December 27, a U.S. district court unsealed documents detailing work Microsoft has performed to disrupt cyberattacks from a threat group we call Thallium, which is believed to operate from North Korea. Our court case against Thallium, filed in the U.S. District Court for the Eastern District of Virginia, resulted in a court order enabling Microsoft to take control of 50 domains that the group uses to conduct its operations. With this action, the sites can no longer be used to execute attacks.
Microsoft’s Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking and gathering information on Thallium, monitoring the group’s activities to establish and operate a network of websites, domains and internet-connected computers. This network was used to target victims and then compromise their online accounts, infect their computers, compromise the security of their networks and steal sensitive information. Based on victim information, the targets included government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues. Most targets were based in the U.S., as well as Japan and South Korea.
Like many cybercriminals and threat actors, Thallium typically attempts to trick victims through a technique known as spear phishing. By gathering information about the targeted individuals from social media, public personnel directories from organizations the individual is involved with and other public sources, Thallium is able to craft a personalized spear-phishing email in a way that gives the email credibility to the target. As seen in the sample spear-phishing email below, the content is designed to appear legitimate, but closer review shows that Thallium has spoofed the sender by combining the letters “r” and “n” to appear as the first letter “m” in “microsoft.com.”
The link in the email redirects the user to a website requesting the user’s account credentials. By tricking victims into clicking on the fraudulent links and providing their credentials, Thallium is then able to log into the victim’s account. Upon successful compromise of a victim account, Thallium can review emails, contact lists, calendar appointments and anything else of interest in the compromised account. Thallium often also creates a new mail forwarding rule in the victim’s account settings. This mail forwarding rule will forward all new emails received by the victim to Thallium-controlled accounts. By using forwarding rules, Thallium can continue to see email received by the victim, even after the victim’s account password is updated…
The rest of the post Microsoft takes court action against fourth nation-state cybercrime group appeared first on Microsoft on the Issues.
from Microsoft on the Issues https://ift.tt/2u0C4Fj