Microsoft Corp. has successfully seized 50 domain names being used by a suspected North Korean hacking group as part of a broader campaign against cybercrime.

The hacking group, dubbed “Thallium,” is alleged to have been using the domains to conduct its operations. Those operations, revealed today, are said to include the targeting of victims to compromise networks and steal sensitive information.

Suggesting that the motivation of the group was espionage, targets included government employees, think tanks, university staff members, human rights organizations and people working on nuclear proliferation issues. Thallium targeted victims using spear phishing, a process in which those behind the campaign pretend to be a trusted sender to trick a target to reveal confidential information.

Spear phishing is not new, but where this story gets interesting is that at least some of the domains the group was using were aimed to look like Microsoft itself with slight variations. For example, one seized domain was rnicrosoft.com, the “rn” at the beginning of the domain looking somewhat like the letter m if a target didn’t look closely enough.

That domain name, along with the others, were set up to appear to be legitimate Microsoft sites, with users being asked to log in to their Microsoft.com accounts, Thallium stealing their credentials in the process. Once an account is compromised, the hacking group gains access to emails, contact lists and other things of interest but it doesn’t stop there.

“Thallium often also creates a new mail forwarding rule in the victim’s account settings,” Tom Burt, a Microsoft corporate vice president in charge of customer security and trust, wrote in a blog post today. “This mail forwarding rule will forward all new emails received by the victim to Thallium-controlled accounts. By using forwarding rules, Thallium can continue to see email received by the victim, even after the victim’s account password is updated.”

In some cases, the hacking group was also found to deploy malware as well. Two types of malware are linked to the group: “BabyShark” and KimJongRAT.” Both are designed to steal information from victims while also maintaining a persistent presence waiting for further instructions.

The takedown of the Thallium domains in the fourth time Microsoft has successfully targeted alleged nation-state-sponsored hacking groups. Previous successful cases involving Microsoft include Barium, allegedly from China, Strontium from Russia and Phosphorus from Iran.

Photo: fljckr/Flickr