On December 18, Microsoft filed a suit against defendants that have “established an Internet-based cyber-theft operation referred to as ‘Thallium.’” The complaint (Microsoft Corporation v. John Does 1-2 1:19-cv-01582-LO-JFA) was filed in the Virginia Eastern District Court. Microsoft is represented by Crowell & Moring. This is the fourth cyber-attack group that Microsoft has filed a suit against.
According to the complaint, Thallium allowed defendants to break “into the Microsoft accounts and computer networks of Microsoft’s customers and [steal] highly sensitive information…Defendants have established and operated a network of websites, domains, and computers on the Internet, which they use to target their victims, compromise their online accounts, infect their computing devices, compromise the security of their networks, and steal sensitive information from them.” Thallium is believed to operate from North Korea.
Microsoft’s blog post stated “we believe it’s important to share significant threat activity… We also hope publishing this information helps raise awareness among organizations and individuals about steps they can take to protect themselves.” Further, “Microsoft applies the knowledge we have collected from tracking Thallium activity to add protections for our customers in all of our security products.”
Thallium worked by utilizing “spearphishing,” a practice to gain passwords and other sensitive information via emails designed to look legitimate and trick users into providing it with their information. Spearphishing entails targeting of specific individuals or organizations, as opposed to the broad approach of traditional phishing. The emails claimed that there is an issue with a user’s account or suspicious activity was detected on an account and prompts users to click on a link to login and check on their accounts. Thallium targeted “high-value computer networks” and would research organizations and individuals from said organizations. Thallium researched victims via social media and public personnel directories. As a result of this research, Thallium “is able to package the spearphishing email in a way that gives the email credibility to the target. In many other cases, Thallium has created emails that appear to have been sent from a familiar contact known by the targeted user…The spearphishing emails often include links to websites that Thallium has set up in advance and that it controls. When a victim clicks on the link in the email, their computer connects to the Thallium-controlled website. The victim is then presented with a copy of a login page for the webmail provider that the victim is a subscriber of.” A user then logs into their account, believing to be on a legitimate webpage, however, their account has now been compromised.
Another scheme tricks users into thinking that an email was sent from Microsoft Account Team. “For example, in the email address… the Thallium defendants have combined the letters ‘r’ and ‘n’ to appear [sic] as the first letter ‘m’ in ‘microsoft.com.’ Side by side, the letters ‘r’ and ‘n’ (i.e. ‘rn’ appear very similar to the letter ‘m.’” Thus, with a quick glance, users believe they are accessing a legitimate Microsoft website and are now providing Thallium with account credentials and sensitive information.
The complaint stated, “[u]pon successful compromise of a victim account, Thallium frequently logs into the account from one of their IP addresses to review emails, contact lists, calendar appointments, and anything else of interest that can be found in the account. On multiple occasions, Thallium has also created a new mailbox rule in the victim’s account settings. This mailbox rule will forward all new emails received by the victim to Thallium-controlled email addresses which are included in the auto-forward rule…Thallium can store and review that stolen material on Thallium-controlled computers, beyond the control of the victim.” Thallium is also able to keep track of which victims have received, opened and clicked on the link in the spearphishing email. The spearphishing domains either mimic webmail providers or the sites for victim’s organizations. Some domains controlled by Thallium install malware on victims’ computers. The malicious domains are “command and control domains” which will go under the radar of network administrators. Other times, a malicious link will take a user to a Thallium domain then redirect to Microsoft, tricking a user into believing that the link is not compromised. As a result, users are providing Thallium with their account credentials and Thallium can now log into a user’s account, read sensitive information, auto-forward emails, and hide activity by deleting emails. Thallium also uses malware to steal personal information.
Those attacked include “government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues. Most targets were based in the U.S., as well as Japan and South Korea.” They may have been targeted for political purposes. It is unclear how many people were attacked by Thallium, but it has operated since 2010 and continues to operate today.
“It’s hard to break into the State Department, but it’s easy to break into a think tank with a shoestring budget, then get information that’s ultimately being provided to or circulated around the government,” said Adam Meyers, vice president of intelligence at CrowdStrike, a cybersecurity company. “It’s an easier target for a threat actor to collect intelligence about political issues.”
Microsoft alleged that Thallium has violated the Computer Fraud & Abuse Act, the Electronic Communications Privacy Act, Cybersquatting under the Anti-Cybersquatting Consumer Protection Act, common law trespass to Chattels and parts of the Lanham act, including trademark infringement, false designation of origin, trademark dilution. Microsoft also seeks relief from unjust enrichment, conversion and intentional interference with contractual relationships. Microsoft has sought declaratory and injunctive relief, as well as compensation for damages and other relief.