Microsoft said it got a court order to seize 50 websites used by a hacker group with ties to North Korea that targeted government employees, universities, human rights organizations and nuclear proliferation groups in the U.S., Japan and South Korea.
The group, known as Thallium, uses the network of websites, domains and connected computers to send out “spear phising” emails. Hackers gather as much information on targets as they can to personalize messages and make them appear legitimate.
When the target clicks on a link in the email, hackers are then able to “compromise their online accounts, infect their computers, compromise the security of their networks and steal sensitive information,” Microsoft wrote in a blog post.
Microsoft showed an example of one of Thallium’s spear phishing messages. It looks very much like a standard notification that comes with signing into a Microsoft account in a new location. One big difference, Microsoft says, is the group combined the letters “r” and “n” in the domain name to look like the first letter “m” in “microsoft.com.”
Microsoft, through its Digital Crimes Unit and Threat Intelligence Center, has positioned itself as an important line of defense against so-called “nation state” hacking organizations. Microsoft has in recent years taken on hacking groups with ties to China, Iran and Russia.
The tech giant uses the information it gathers from tracking these hackers to beef up its security products. Microsoft recommended a number of actions organizations can take to better protect themselves, including enabling two-factor authentication on business and personal email accounts, training people to spot phising attempts and enabling security alerts about links and files from suspicious websites.