Microsoft is suing a mysterious North Korean hacking group for allegedly stealing “highly sensitive information” from computers in the United States.
A new lawsuit targets two unnamed people who Microsoft claims work for Thallium, which the suit describes as a “cybertheft operation” that has worked to gain access to “high-value” computer networks.
Thallium targeted government employees, think tanks, university staff and members of groups that work on issues including nuclear proliferation and human rights, the complaint states. Microsoft filed the lawsuit on December 18 and it was unsealed late last week.
It’s not clear how many people Thallium may have hacked, though the complaint alleges the group “has been active since 2010, and it poses a threat today and into the future.”
Microsoft is asking for companies that host website domains associated with Thallium to hand over control of the sites. It also wants compensation for damages in “an amount to be proven at trial.” Microsoft did not immediately respond to a request for comment.
The complaint says the “precise identities and locations of those behind the activity are generally unknown but have been linked by many in the security community to North Korean hacking group or groups,” the lawsuit states.
The complaint alleges Thallium hackers used a technique called “spearphishing,” which seeks to gain passwords and other sensitive information from individual users through emails crafted specifically to look as if they’re coming from a reputable Hotmail, Gmail or Yahoo account.
The emails attempt to lure users into providing login information by claiming that suspicious activity was identified on their accounts. Hackers may have used information gathered on victims’ social media pages and elsewhere online to make the emails particularly convincing, according to the lawsuit. Individuals targeted by the emails may have been selected because of their affiliation with certain organizations, businesses or the government.
After obtaining login credentials, Thallium may have used it to gain access to contact lists, calendar appointments and other information stored on Microsoft users’ accounts.
Hackers also used deceptive websites to trick users into believing they were on a legitimate Microsoft websites and email attachments to distribute malware. Specifically, malware identified in the complaint as “BabyShark” and “KimJongRAT” were used to “compromise systems and steal data from victim systems,” the complaint says.
The suit was filed in a federal court in Virginia because Thallium uses internet domains registered in the state, according to court filings.