Microsoft Takes Down 50 Domains Operated by North Korean Hackers

Microsoft announced today that it successfully took down 50 web domains previously used by a North Korean government-backed hacking group. From a report: The OS maker said the 50 domains were used to launch cyberattacks by a group the company has been tracking as Thallium (also known as APT37). Microsoft said the Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) teams have been monitoring Thallium for months, tracking the group's activities, and mapping its infrastructure. On December 18, the Redmond-based company filed a lawsuit against Thallium in a Virginia court. Shortly after Christmas, US authorities granted Microsoft a court order, allowing the tech company to take over 50 domains that the North Korean hackers have been using as part of their attacks. The domains were used to send phishing emails and host phishing pages.

Re:

[ArchieBunker]

I stubbed my toe the other day, clearly that is Russia's doing.

Re:

[weilawei]

In Untied Skates, toe stub you!

Re:

[notdecnet]

> I stubbed my toe the other day, clearly that is Russia's doing.

No, it's clearly the work of Iran or Venezuela or whoever has vast oil reserves ;]

Re:

[omnichad]

The current Administration would more likely blame Ukraine for whatever it is the Russians do because that's what they're told. This would be a big departure.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[omnichad]

Who's bringing up the election? That's also not what was proclaimed, exactly.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[omnichad]

No - they literally keep blaming Ukraine for things even when it doesn't make sense. One of those is, in fact, the Trump campaign blaming Ukraine (not Russia) for interfering with the election. Also, in theory, the primary beneficiary of any trade war with China is Russia. And Trump is always ranting on and on about how corrupt Ukraine is (and particularly, trying to involve an opposing political candidate in it somehow). Ukraine is simply not that important. There is no reason to even mention that cou

Re:

[cavreader]

NK treats China and Russia like they treat the US China is scared to death that NK will do something stupid and invite even more US naval forces to the region. The ground and ship based US anti-missile (THADD) systems can target China just as easily as they can target NK.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[sabbede]

It's not a ridiculous idea, but I doubt it. Neither Russia nor China need them as a cutout, whereas the DPRK is desperately poor and has no legal way to bring in foreign funds.

It's also probably easier to trace back to the DPRK than Russia or China. The DPRK's address space is very limited, whereas a Chinese scammer can rent sever time in the Netherlands and register any domain they want, hiding their trail in the billion addresses available there.

Re:

[radicimo]

You really think NK hackers operate from inside DPRK? C'mon.

What did Microsoft actually do here?

[I am not a Bicycle]

My first thought after reading the summary and the article was that Microsoft launched some sort of network attack (fancy name: "cyberattack"). Then I thought maybe MS just changed the IP address mapping of the sites. Is Microsoft an Internet registrar or similar? If what Microsoft mainly did was to identify the malicious sites, then maybe the phrasing "had them taken down" would be just a bit more pedantic but much less ambiguous, leaving no doubt that a third party disabled the sites.

The real question is..

[fred911]

Why domains where given to a private company. Even if they were used for [insert unacceptable/illegal usage here], why were the domains control given to other than a government entity.

Re:

[PhrostyMcByte]

It seems likely that they were running some sort of zombie control servers targeting Windows and Microsoft wanted to send shutdown signals out.

Re: The real question is..

[VTBlue]

Microsoft started this collaboration with the government in the mid-2000s because the government did not have the capability to takedown these organized bots often run by state actors or organized crime. The typical attack vector was also bootleg Windows XP machines that had been turned into zombie machines in a command and control malware network. In order to protect Microsoft customers and their computers as well as eliminate the threat, Microsoft required legal, operational, and technical capability to c

This is what is wrong with the USA

[Retired ICS]

What possible standing does Microsoft have to interfere in a contract between two third parties?
How does Microsoft have any standing in any court whatsoever with respect to any of the parties?
Who appointed Microsoft to act as an agent for the Government?

Is Microsoft now a Mercenary organization?
How did Microsoft acquire the status of being a Private Police Force? By what authority?

Re: This is what is wrong with the USA

[Admiral Trigger Happ]

Microsoft has no authority here the court did. Microsoft filed suit against the company which they believed to be behaving illegally, the court agreed which then provided Microsoft the legal ability to proceed. In reality it shouldnâ(TM)t be up to private companies to take action against the guys, the FBI and other law enforcement around the world should be doing it but clearly arenâ(TM)t (probably due to lack of adequate funding) so private enterprise steps up

Re:

[Narcocide]

The FBI isn't willing to step up to do their job here because they've been infiltrated by the same international criminal organization that is doing the hacks in the first place. They get plenty of funding. What they get too much of is KGB influence.

Re:

[Killall -9 Bash]

I'm confused by your conspiracy theory. Are the Russians controlling both the president, and one of the government agencies that's been fucking with him for the last 4 years?

Re:

[Narcocide]

The FBI helped him at every turn until it became publicly apparent that they were violating their own charter to do so, then they backpedaled fast and hard while still feigning complete uselessness. It's easy to follow if you have a longer memory than the last 6 months.

Re:

[Retired ICS]

Who gives a flying fuck what Microsoft "believes". That does not give them standing to take legal proceedings.

Re:

[Anonymous Coward]

What possible standing does Microsoft have to interfere in a contract between two third parties?
How does Microsoft have any standing in any court whatsoever with respect to any of the parties?

You witness person A stab person B. You report the crime of person A to the authorities.
The exact same chain of events will play out:

The governments district attorney will press charges against person A.
Person B that was stabbed has no control over this process and is no longer involved.
You who reported the crime have no control over this process and are no longer involved.

In court it is the government vs person A.

Here we have an illegal contract between a US based registrar company, and north korea.
US bas

Re:

[Retired ICS]

So what you are saying is that the article is wrong. Microsoft did not do any of the things claimed Microsoft did. Microsoft was just a witness in a proceeding? Sort of like John Whackbasket claiming to have put Al Capone in jail merely because Mr. Whackbasket was in the same city.

Re:

[slazzy]

The phishing was probably to gain access to Microsoft accounts. So they would be acting to protect their own interest.

Re:

[clovis]

As I understand it, The names given by the court to Microsoft were typo-squatting names. That is, they resembled the real "Microsoft.com", such as "Microsaft.com", Or other common names such as perhaps resembling some government entity name pretending to
serve Microsoft security such as "CIA-gov.com" warning you about your Microsoft account.

ICANN and the courts have had a policy of taking typo-squatting names and granting ownership of these to the original host regardless of whether there is any criminal int

Re:

[Narcocide]

All good questions, but you're asking them about 30 years too late. They have everyone by the balls, now, and you all let it happen.

What were the domains?

[radicimo]

Doesn't say what the 50 domains actually were, but following through to the MSFT blog [microsoft.com], one that appears in the screenshot there is rnicrosoft . com ... but would be curious about the rest.

Also the names of the malware BabyShark [paloaltonetworks.com] and KimJongRAT ... guessing those were not coined by the N. Koreans, though definitely their MO - macros in word processing software injected by phishing. They've been using the same bag of tricks for years.

I wonder what penalty...

[tgibson]

...the NK hackers will suffer for the setback? I wonder how many will be reeducated, sent to a concentration camp, or outright executed for their failure.

Insert free advert for Microsoft

[notdecnet]

How to put a positive spin on Microsoft while at the same time trashing Americas current bogeyman. How about the geniuses at Microsoft making an OS that can't so easily be compromised.

Re:

[ScentCone]

Thanks for your insight, Ivan. Also: remind your trainers in Moscow that their trolling operations will be more convincing once they learn how to use apostrophes.

Re:

[clovis]

These are phishing attacks. There is no indication that these attacks depend upon compromising the OS.

Re:

[notdecnet]

> These are phishing attacks. There is no indication that these attacks depend upon compromising the OS.

Yea sure, opening an email attachment or clicking on a malicious link automatically leads to a compromised system on Macs and Linux and Android just like on Microsoft Windows ;]

Re: ICANN

[Admiral Trigger Happ]

Well if they are .com then they are all technically under US jurisdiction. Other countries have their own TLD

Re:

[Retired ICS]

The US would be my top (and only) suspect.