Microsoft seizes 50 websites used by North Korean hackers to gather intelligence

Victims were located mostly in the U.S., Japan and South Korea, the company said.
(Getty Images)

Microsoft has taken hold of 50 websites used by suspected North Korean hackers to bolster attempted hacks against government employees, universities and nuclear organizations, among other targets.

The company announced Monday it won a court order allowing it to take over 50 websites that a hacking group Microsoft refers to as Thallium (also known as APT37, or Reaper) has used as part of a campaign to steal sensitive data. Thallium would send phishing emails which directed would-be victims to malicious websites, where they would be prompted to enter their username and password. A successful effort would provide Thallium access to victimized account data including messages, contact lists and appointments.

This effort marks the fourth time Microsoft has used U.S. courts to sink nation-state hacking infrastructure. In March, Microsoft said it took over domains used by Phosphorous, an Iranian group also known as Charming Kitten, and in August 2018 said it had moved against Strontium, a Russian group more commonly known as Fancy Bear or APT28. The company also has disrupted a Chinese-linked group it calls Barium.

In this case, Microsoft said victims were located mostly in the U.S., Japan and South Korea. Along with governments and universities, hackers also aimed at think tanks, organizations focused on human rights and individual people working on nuclear proliferation issues.


The fraught political discussion surrounding Pyongyang’s ongoing interest in nuclear technology has been a major focus of North Korean-linked hackers for much of 2019. Researchers from the threat intelligence company Anomali detected similar websites in August that were impersonating the French Ministry for Europe and Foreign Affairs, Stanford University and other specific organizations considering Pyongyang’s nuclear ambitions or the resulting international sanctions.

Thallium has been active since 2010, and is known for its use of malicious software known as BabyShark and KimJongRAT, Microsoft said.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts