Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Free Newsletter Sign Up

Microsoft Sues North Korea-Linked Hackers for Impersonation (1)

Dec. 30, 2019, 2:56 PM

A group of hackers with ties to North Korea targets Microsoft Corp. software users by impersonating the company, according to a lawsuit unsealed Dec. 27 in Virginia federal court.

Thallium has been breaking into Microsoft accounts and stealing sensitive information by misleading users into giving the hackers their usernames and passwords, the complaint says.

Thallium allegedly targets government employees, human rights organizations, university staff members, and others working on nuclear proliferation issues. It sends emails designed to look like messages from legitimate email services like Alphabet Inc.'s Gmail, Yahoo, and Microsoft’s Hotmail, telling targets that there is a problem with their account.

The emails trick targets into clicking links to Thallium sites and giving the group their login credentials. Thallium then logs into target accounts to review emails, contact lists, and other information, and sometimes creates a mailbox rule to forward emails to Thallium-controlled email addresses, Microsoft says.

U.S. companies have little leverage to bring defendants into U.S. courts if they’re based in nation-states like North Korea, privacy attorneys said. Even with a high likelihood of a favorable judgment, it may be nearly impossible to hold defendants accountable for the alleged hacking attacks, they said.

“The biggest challenges will be securing proper service over the defendants, and then enforcement of any judgment,” Cynthia Burnside, litigation partner at Holland & Knight LLP in Atlanta representing companies in privacy matters, said in an email.

Those challenges are daunting because hackers “tend to travel under pseudonyms, and don’t usually form legal entities or file articles of incorporation with government agencies,” Burnside added.

Microsoft won’t come away empty-handed. The software giant was able to take control of 50 domains the group used to conduct the attacks, Tom Burt, Microsoft vice president of customer security and trust, wrote in a Dec. 30 blog post. “With this action, the sites can no longer be used to execute attacks,” he said in the post.

The unsealed complaint follows previous Microsoft lawsuits against hacking groups based in China, Russia, and Iran. The actions have led to “the takedown of hundreds of domains, the protection of thousands of victims and improved the security of the ecosystem,” Burt wrote.

Thallium has developed a technique where victims are first linked to a legitimate Microsoft domain, which “confuses victims into thinking the link is not compromised because the domain is Microsoft’s and incorporates Microsoft’s trademarks,” the complaint says.

Thallium also uses malware programs to steal data, according to the complaint originally filed Dec. 18 in the U.S. District Court for the Eastern District of Virginia under seal.

Causes of Action: Violations of the Computer Fraud & Abuse Act and Electronic Communications Privacy Act; federal trademark infringement, dilution, and false designation of origin; cybersquatting; common law trespass to chattels; unjust enrichment; conversion; intentional interference with contracts.

Relief: Injunctive relief, damages, attorneys’ fees.

Attorneys: Crowell & Moring LLP represents Microsoft.

The case is Microsoft Corp. v. John Does 1-2, E.D. Va., No. 1:19-cv-01582, complaint unsealed 12/27/19.

To contact the reporters on this story: Blake Brittain in Washington at; Daniel R. Stoller in Washington at

To contact the editors responsible for this story: Rob Tricchinelli at; Carmen Castro-Pagan at; Rebecca Baker at