A U.S. court discovered a North Korea-linked hacking group after attempting to create internet domains impersonating news outlets, including the U.S. government-funded Voice of America (VOA), aiming to steal information from government officials and other important figures.
The U.S. District Court for the Eastern District of Virginia confirmed in documents that the cybercrime organization known as “Thallium,” or “Emerald Sleet,” had registered fake internet domain names mimicking well-known news organizations, VOA reported on September 17.
According to a court report submitted on September 9, a court-appointed monitor tracked the group’s activities and found that, sometime between May 10 and recent weeks, the hackers created three new domain names.
The domains included “VOANEWS.me,” which closely resembles VOA’s official website (voanews.com), as well as “KYODONEWS.us,” appearing to impersonate Japan’s Kyodo News (kyodonews.net), and “TEMUCO.xyz,” modeled after the name of a Chinese online shopping platform.
This is not the first time Thallium has been involved in such schemes. In December 2019, Microsoft won a civil lawsuit against the group for setting up websites that impersonated Microsoft to steal sensitive information.
That lawsuit resulted in a permanent injunction, allowing courts to prevent Thallium from using not only their existing domains but any new ones they might create.
The court’s appointed monitor, responsible for tracking Thallium’s activities every 120 days, submitted this latest report, marking the eighth since the initial ruling. The report confirmed that after May 10, Thallium registered and used these newly created domains, which were immediately flagged and subjected to legal action under the permanent injunction.
Microsoft recently updated its naming system for hacker groups, assigning “Sleet” as a general identifier for North Korea-affiliated hackers. Thallium is now referred to as “Emerald Sleet.” The court documents also included this new naming convention alongside the original Thallium designation.
While specific details about how and when the three domains were registered remain undisclosed, the report officially confirmed that Emerald Sleet continues its cyber activities.
Thallium, or Emerald Sleet, has a history of creating websites mimicking legitimate organizations, including UN bodies and Microsoft services, to trick government officials, academics, think tanks, and human rights activists into divulging sensitive login information. These stolen credentials were then used to access important data.
In one instance, hackers even impersonated a VOA journalist, sending emails to members of a U.S. think tank. It is likely that the recent creation of the “VOANEWS” domain was part of a similar effort, as all current VOA journalists use the official “VOANEWS.com” domain for their email addresses, the media outlet reported.
BY YOUNGNAM KIM [kim.youngnam@koreadaily.com]
