Microsoft is alleging that two unnamed hackers with alleged ties to North Korea have targeted thousands of university employees, government workers and others.
In a lawsuit filed earlier this month in Virginia, the software maker claims that the defendants — dubbed “John Doe 1” and “John Doe 2” — operate a cybertheft network called “Thallium.” The pair “are engaged in breaking into the Microsoft accounts and computer networks of Microsoft’s customers and stealing highly sensitive information,” the company said in the complaint.
“The precise identities and locations of those behind the activity are generally unknown but have been linked by many in the security community to North Korean hacking groups,” Microsoft lawyers state in the suit.
Thallium is a network of websites, domains and computers that the alleged hackers use to infiltrate Microsoft user accounts, according to the company. Microsoft said a “spearphishing” technique is used to pry sensitive information from employees at think tanks as well as government officials working on nuclear proliferation issues.
Specifically, cyberthieves select one employee from an organization that uses Microsoft and finds that person’s work email address on the internet or from social media. Hackers then contact that employee by using an email account from Hotmail, Gmail or Yahoo and claim there has been suspicious login activity detected on their Microsoft account. The email contains a weblink that a user is encouraged to click to fix the problem, according to the suit.
“When a victim clicks on the link in the email, their computer connects to the Thallium-controlled website,” the complaint states. “Upon successful compromise of a victim account, Thallium frequently logs into the account from one of their IP addresses to review emails, contact lists, calendar appointments and anything else of interest that can be found in the account.”
Court documents filed by Microsoft show copies of emails that company officials believe were used by Thallium during phishing attacks. Microsoft is accusing Thallium of computer fraud, electronic privacy violations, trademark infringement and more.
In July, Microsoft notified 10,000 of its customers that they had been targeted by hackers in Russia, Iran and North Korea over the past 12 months.
Tom Burt, a Microsoft vice president overseeing customer security, said in a corporate blog post at the time that the company had seen “extensive activity” by the hacker groups. He also warned that such attacks could intensify ahead of the 2020 U.S. presidential election in an attempt to target U.S. political campaigns and election systems.