`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE EASTERN DISTRICT OF VIRGINIA
`Alexandria Division
`
`• • T r*>
`i 1*. iu ll y
`
`UcC i 6 A b- k2
`
`MICROSOFT CORPORATION, a
`Washington corporation,
`
`Plaintiff.
`
`V.
`
`JOHN DOES 1-2, CONTROLLING
`A COMPUTER NETWORK
`THEREBY INJURING PLAINTIFF
`AND ITS CUSTOMERS,
`
`Defendants.
`
`i\LCj\hiiUhU\»
`
`Civil Action No: [ \^'\ ej ^
`
`FILED UNDER SEAL PURSUANT
`TO LOCAL CIVIL RULE 5
`
`COMPLAINT
`
`Plaintiff MICROSOFT CORP. ("Microsoft") hereby complains and alleges that
`
`JOHN DOES 1-2 (collectively "Defendants"), have established an Internet-based cyber-
`
`theft operation referred to as "Thallium." Through Thallium. Defendants are engaged in
`
`breaking into the Microsoft accounts and computer networks of Microsoft's customers and
`
`stealing highly sensitive information. To manage and direct Thallium, Defendants have
`
`established and operate a network of websites, domains, and computers on the Internet,
`
`which they use to target their victims, compromise their online accounts, infect their
`
`computing devices, compromise the security of their networks, and steal sensitive
`
`information from them. Internet domains used by Defendants to operate Thallium are set
`
`forth at Appendix A to this Complaint and are referred to as the "Command and Control
`
`Infrastructure." Microsoft alleges as follows:
`
`NATURE OF THE ACTION
`
`I.
`
`This is an action based upon: (1) the Computer Fraud and Abuse Act, 18 U.S.C. §
`
`I
`
`
`
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 2 of 27 PageID# 2
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 2 of 27 Page|D# 2
`
`1030;
`
`(2) Electronic Communications Privacy Act,
`
`18 U.S.C.
`
`§ 2701;
`
`(3) Trademark
`
`Infringement under the Lanham Act, 15 U.S.C. § 1114 et seq.; (4) False Designation of Origin
`
`under the Lanham Act, 15 U.S.C. § 1 125(a); (5) Trademark Dilution under the Lanham Act, 15
`
`U.S.C. § 1125(c); (6) Cybersquatting under the Anticybersquatting Consumer Protection Act, 15
`
`U.S.C.
`
`§ 1125(d);
`
`(7) Common Law Trespass to Chattels;
`
`(8) Unjust Enrichment;
`
`(9)
`
`Conversion; and (10) Intentional Interference with Contractual Relationships. Plaintiff seeks
`
`injunctive and other equitable relief and damages against Defendants who operate and control a
`
`network of computers known as the Thallium Command and Control Infrastructure. Defendants,
`
`through their illegal activities involving Thallium, have caused and continue to cause irreparable
`
`injury to Microsoft and its customers, and the public.
`
`PARTIES
`
`2.
`
`Plaintiff Microsoft is a corporation duly organized and existing under the laws of
`
`the State of Washington, having its headquarters and principal place of business in Redmond,
`
`Washington.
`
`3.
`
`0n information and belief, John Doe 1 controls the Thallium Command and
`
`Control Infrastructure in furtherance of conduct designed to cause harm to Microsoft,
`
`its
`
`customers, and the public. Microsoft is informed and believes and thereupon alleges that John
`
`Doe I can likely be contacted directly or through third-parties using the information set forth in
`
`Appendix A.
`
`4.
`
`On information and belief, John Doe 2 controls the Thallium Command and
`
`Control Infrastructure in furtherance of conduct designed to cause harm to Microsoft,
`
`its
`
`customers, and the public. Microsoft is informed and believes and thereupon alleges that John
`
`Doe 2 can likely be contacted directly or through third-parties using the information set forth in
`
`Appendix A.
`
`
`
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 3 of 27 PageID# 3
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 3 of 27 PagelD# 3
`
`5.
`
`Third parties VeriSign, Inc., VeriSign Information Services, Inc., and VeriSign
`
`Global Registry Services (collectively, “VeriSign”) are the domain name registries that oversee
`5
`the registration of all domain names ending in ‘.com” and “.net” and are located at 12061
`
`Bluemont Way, Reston, Virginia 20190.
`
`6.
`
`Third party Public Interest Registry is the domain name registry that oversees the
`
`registration of all domain names ending in “.org,” and is located at 1775 Wiehle Avenue,
`
`Suite 100, Reston, Virginia 20190.
`
`7.
`
`Third party .Club Domains, LLC is the domain name registry that oversees
`
`the registration of all domain names ending in “.club,” and is located at 100 SE 3rd Ave.
`
`Suite 1310, Fort Lauderdale, Florida 33394.
`
`8.
`
`Third party Afilias Limited c/o Afilias USA, Inc. is the domain name registry
`
`that oversees the registration of all domain names ending in “.info” and “.mobi,” and is
`
`located at 300 Welsh Road, Building 3, Suite 105, Horsham, Pennsylvania 19044.
`
`9.
`
`Third parties Binky Moon, LLC and Donuts Inc. (collectively “Donuts”) are the
`
`domain name registries that oversee the registration of all domain names ending in “.cash,” and
`
`are located at 5808 Lake Washington Blvd NE, Suite 300, Kirkland, Washington 98033.
`
`10.
`
`Third party Neustar, Inc. is the domain name registry backend that oversees the
`
`registration of all domains ending in “.biz.” Neustar, Inc. is located at 21575 Ridgetop Circle,
`
`Sterling, Virginia 20166.
`
`11.
`
`Set forth in Appendix A are the identities of and contact information for third
`
`party domain registries that control the domains used by Defendants.
`
`12.
`
`On information and belief, John Does 1-2 jointly own, rent, lease, or otherwise
`
`have dominion over the Thallium Command and Control Infrastructure and related infrastructure
`
`and through those control and operate Thallium. Microsoft will amend this complaint to allege
`
`
`
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 4 of 27 PageID# 4
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 4 of 27 PagelD# 4
`
`the Doe Defendants’ true names and capacities when ascertained. Microsoft will exercise due
`
`diligence to determine Doe Defendants’ true names, capacities, and contact information, and to
`
`effect service upon those Doe Defendants.
`
`13.
`
`Microsofi
`
`is informed and believes and thereupon alleges that each of the
`
`fictitiously named Doe Defendants is responsible in some manner for the occurrences herein
`
`alleged, and that Microsoft’s injuries as herein alleged were proximately caused by such
`
`Defendants.
`
`14.
`
`On information and belief, the actions and omissions alleged herein to have been
`
`undertaken by John Does l—2 were actions that Defendants, and each of them, authorized,
`
`controlled, directed, or had the ability to authorize, control or direct, and/or were actions and
`
`omissions each Defendant assisted, participated in, or otherwise encouraged, and are actions for
`
`which each Defendant is liable. Each Defendant aided and abetted the actions of Defendants set
`
`forth below,
`
`in that each Defendant had knowledge of those actions and omissions, provided
`
`assistance and benefited from those actions and omissions, in whole or in part. Each Defendant
`
`was the agent of each of the remaining Defendants, and in doing the things hereinafter alleged,
`
`was acting within the course and scope of such agency and with the permission and consent of
`
`other Defendants.
`
`JURISDICTION AND VENUE
`
`15.
`
`The Court has subject matterjurisdiction over this action pursuant to 28 U.S.C. §
`
`1331 because this action arises out of Defendants’ violation of The Computer Fraud and Abuse
`
`Act (18 U.S.C. § 1030), Electronic Communications Privacy Act (18 U.S.C. § 2701),
`
`the
`
`Lanham Act (15 U.S.C. §§ 1114, 1125), and the Anticybersquatting Consumer Protection Act
`
`(15 U.S.C. § 1125(d)). The Court also has subject matterjurisdiction over Microsoft’s claims for
`
`trespass to chattels, conversion, unjust enrichment, and intentional interference with contractual
`
`
`
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 5 of 27 PageID# 5
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 5 of 27 Page|D# 5
`
`relationships pursuant to 28 U.S.C. § 1367.
`
`16.
`
`Venue is proper in this judicial district pursuant to 28 U.S.C. § 1391(b) because a
`
`substantial part of the events or omissions giving rise to Microsoft’s claims has occurred in this
`
`judicial district, because a substantial part of the property that is the subject of Microsoft’s claims
`
`is situated in this judicial district, and because a substantial part of the harm caused by
`
`Defendants has occurred in this judicial district. Defendants maintain Internet domains
`
`registered in Virginia, engage in other conduct availing themselves of the privilege of conducting
`
`business in Virginia, and utilize instrumentalities located in Virginia and the Eastern District of
`
`Virginia to carry out acts alleged herein.
`
`17.
`
`Defendants have affirmatively directed actions at Virginia and the Eastern District
`
`of Virginia by directing their activities, including theft of information, at individual users located
`
`in the Eastern District of Virginia and directing malicious computer code at the computers of
`
`individual users located in Virginia and the Eastern District of Virginia and attempting to and in
`
`fact
`
`infecting those user computers with the malicious computer code and instructions to
`
`Microsoft’s Windows operating system,
`
`the computing devices and high-value computer
`
`networks of individual users and entities located in Virginia and the Eastern District of Virginia,
`
`in order to compromise the security of those systems and to steal sensitive information from
`
`those networks, all to the grievous harm and injury of Microsoft, its customers and licensees, and
`
`the public.
`
`18.
`
`Defendants maintain certain of the Thallium Command and Control Infrastructure
`
`registered through VeriSign, Public Interest Registry and Neustar which reside in the Eastern
`
`District of Virginia. Defendants use these domains to communicate with and control
`
`the
`
`Thallium—infected computers that Defendants communicate with, control, steal from, update, and
`
`maintain in this judicial district. Defendants have undertaken the acts alleged herein with
`
`
`
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 6 of 27 PageID# 6
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 6 of 27 PagelD# 6
`
`knowledge that such acts would cause harm through domains located in the Eastern District of
`
`Virginia, through the Thallium domains maintained through facilities in the Eastern District of
`
`Virginia, and through user computers located in the Eastern District of Virginia, thereby injuring
`
`Microsoft, its customers and member organizations, and others in the Eastern District of Virginia
`
`and elsewhere in the United States. Therefore,
`
`this Court has personal jurisdiction over
`
`Defendants.
`
`19.
`
`Pursuant to 28 U.S.C. § 1391(b), venue is proper in this judicial district. A
`
`substantial part of the events or omissions giving rise to Microsoft’s claims, together with a
`
`substantial part of the property that is the subject of Microsoft’s claims, are situated in this
`
`judicial district. Venue is proper in this judicial district under 28 U.S.C. § 1391(c) because
`
`Defendants are subject to personal jurisdiction in this judicial district.
`
`FACTUAL BACKGROUND
`
`Microsoft’s Services And Reputation
`
`20.
`
`Microsoft® is a provider of the Windows® operating system,
`
`the Hotmail®,
`
`Outlook,® and MSN® email and messaging services and the Office 365® and Azure® cloud-based
`
`business and productivity suite of services, as well as a variety of other hardware products,
`
`software and services,
`
`including under the Surface,® Xbox,® and I-ioloLens® brands and
`
`trademarks. Microsoft has invested substantial resources in developing high-quality products
`
`and services. Due to the high quality and effectiveness of Microsoft’s products and services and
`
`the expenditure of significant resources by Microsoft to market those products and services,
`
`Microsoft has generated substantial goodwill with its customers, establishing a strong brand and
`
`developing the Microsoft name and the names of its products and services into strong and
`
`famous world-wide symbols that are well-recognized within its channels of trade. Microsoft has
`
`registered trademarks representing the quality of its products and services and its brand,
`
`
`
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 7 of 27 PageID# 7
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 7 of 27 Page|D# 7
`
`including Microsoft,® Windows,® Hotmail®, Outlook,® MSN,® Office 365,® Azure,® Surface,®
`
`Xbox,® and I-IoloLens.® Copies of the trademark registrations for these trademarks are attached
`
`as Appendix B to this Complaint.
`
`Thallium
`
`21.
`
`Thallium specializes in targeting, penetration, and stealing sensitive information
`
`from high-value computer networks connected to the Internet. The precise identities and
`
`locations of those behind the activity are generally unknown but have been linked by many in the
`
`security community to North Korean hacking group or groups. Thallium targets Microsoft
`
`customers in both the private and public sectors, including businesses in a variety of different
`
`industries. Thallium has targeted government employees, organizations and individuals that
`
`work on Nuclear Proliferation issues,
`
`think tanks, university staff members, members of
`
`organizations that attempt to maintain world peace, human rights organizations, as well as many
`
`other organizations and individuals. Thallium has been active since 2010, and it poses a threat
`
`today and into the future.
`
`22.
`
`Thallium operates
`
`in the following fashion:
`
`afier
`
`researching a victim
`
`organization, Thallium will identify individuals employed by that organization through publicly
`
`available information and by social-media interaction. Microsofi has observed fake email
`
`addresses being created to connect with possible victims and other potential targets. Thallium
`
`typically attempts to compromise the accounts of targeted individuals through a technique known
`
`as “Spearphishing.” In a typical spearphishing attack, Thallium sends the targeted individual an
`
`email specifically crafted to appear as if it was sent from a reputable email provider (ex. Hotmail,
`
`Gmail, Yahoo). The threat actors frequently send emails that state that there is a problem with
`
`the victim’s account and/or suspicious login activity was detected. By gathering information
`
`about the targeted individuals from social media, public personnel directories from organizations
`
`
`
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 8 of 27 PageID# 8
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 8 of 27 Page|D# 8
`
`the individual
`
`is involved with, and other public sources, Thallium is able to package the
`
`spearphishing email in a way that gives the email credibility to the target.
`
`In many other cases,
`
`Thallium has created emails that appear to have been sent from a familiar contact known by the
`
`targeted user.
`
`23.
`
`Thallium sends these emails from a variety of online email services which also
`
`include Hotmail, Gmail and Yahoo. The spearphishing emails often include links to websites
`
`that Thallium has set up in advance and that it controls. When a victim clicks on the link in the
`
`email, their computer connects to the Thallium-controlled website. The victim is then presented
`
`with a copy of a login page for the webmail provider that the victim is a subscriber of (e.g.
`
`Hotmail, Yahoo, Gmail, United Nations webmail').
`
`24.
`
`Figure 1 below shows a copy of a spearphishing email used by Thallium. The
`
`email was sent on January 3, 2019 and is spoofed to appear as if it was sent from a Microsoft
`
`Account Team. For example, in the email address from which the email was sent, the Thallium
`
`defendants have combined the letters “1'” and “n” to appears as the first
`
`letter “m” in
`
`“microsoft.com.” Side by side, the letters “r” and “n” (i.e. “m”) appear very similar to the letter
`£‘
`77
`
`m.
`
`I Thallium is targeting individuals with email addresses associated with the United Nations and their
`@un.org domains.
`
`
`
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 9 of 27 PageID# 9
`Case 1:19-cv-01582—LO-JFA Document 1 Filed 12/18/19 Page 9 of 27 Page|D# 9
`
`”mum“ amount unuuua‘l run in other,
`
`1
`
`him: .tm Jump}:
`
`Unusual sign-in activity
`
`'.'.'v:Ertwgfp:new-Math] l.c.;3n..‘:'.1l'.:-.t' I” W“.
`
`,; ‘1"
`
`tr ‘4 15'" Mi. Wu"! .rmun'
`
`.‘
`
`-.v'.- .. '
`
`.
`
`t'v hci;
`
`i--’-;? ,o-i u‘v- un- '>=,;i.-.r--:5 In PI‘.‘.I 1w ml; .m' erup-
`
`Sogn in debit:
`(Cn'flt‘! Ugly: Iauur‘
`ii‘ a :';.‘re".5 1'.‘ ”33 .31! 54
`[Zai'r
`‘ was; u.»- E?!
` Put!
`'
`: t'l'im «-
`9.1;.
`
`I' :l' 1h}; ya: than -,-:..: (1:: salt}, grain.- :lm r-mu
`
`H ,Lu. r~~ r-:-: mm film . m: )nu .t twin-inn um," '11 ',<‘i"- l'..n.-: ,ou-r Lian-nu:
`
`i‘-:,1,~_- rI_-‘.'.='.'f )‘TU’ teccn‘. scurry 9,an -.\-3 '| 5—“,- 3.3,, ”in {Cardiac a. “0-,
`
`Revue-in recent “IN!”
`
`is ..; [Lu] 0' 1 Izamn- tutu-n: p r :rww -.«-
`
`-.- :7 l‘.
`
`'.!.: .':I-;':ii.
`
`I-CI rm-
`
`Truth-:2
`ire P.‘I-.'-.-)'_:lt J.(.. J! Etta"-
`
`IQ U1
`
`By clicking on the links seen in the above examples, the targeted user will be
`
`Figure l — Sample Spearphising Email
`
`connected to a Thalliumwontrolled website which will attempt to induce the victim to enter their
`
`account credentials. For example. in Figure 1 above, the targeted user would have been taken to
`
`the following domain that is a masquerade ofHotmaiI.com: [aginhotrnallcom
`
`26.
`
`Upon successful compromise of a victim account, Thallium frequently logs into
`
`the account from one of their IP addresses to review emails, contact lists, calendar appointments.
`
`and anything else of interest that can be found in the account. On multiple occasions, Thallium
`
`has also created a new mailbox rule in the victim’s account settings. This mailbox rule will
`
`forward all new emails received by the victim to Thallium-controlled email addresses which are
`
`included in the auto-forward rule.
`
`In this way, Thallium immediately receives copies of emails
`
`
`
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 10 of 27 PageID# 10
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 10 of 27 PagelD# 10
`
`received by the victim, and Thallium can store and review that stolen material on Thallium-
`
`controlled computers, beyond the control of the victim.
`
`27.
`
`Thallium often keeps track of which links have been sent to which victims by
`
`including a Base64 hash2 of the victim email address in the URL path of the link in the
`
`spearphishing email. This allows Thallium to verify quickly which victims have received and
`
`opened the spearphishing email and clicked on the link within. Figure 2 below shows an
`
`example of a link with the victim email address Base64 hash included in the URL path.3
`
`2 A “hash” is a mathematical function that can be used to map data of arbitrary size to fixed-length
`values. “Base64” is an encoding scheme by which, for example, text such as an email address can be
`represented through corresponding Base64 alphanumeric character values.
`3 In Figure 2, the first and last characters of the Base64 hash are shown for illustrative purposes, but the
`complete Base64 hash is obfuscated to preserve the privacy of the victim and plaintiff’s operational
`security, as the Base64 encoding could be readily reversed to show the victim email address. Similarly,
`the victim email address itself is obfuscated to protect their privacy.
`
`10
`
`
`
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 11 of 27 PageID# 11
`Case 1:19-cv-01582—LO-JFA Document 1 Filed 12/18/19 Page 11 of 27 PagelD# 11
`
`b35354 string
`Lrls frcm ph 5n ema:l;
`httpzq'fiegi1.cu:l:ck[.]de:-ne.v[.:\vurh‘acflvififlwsign-*L‘.D&wreply-dG_-,Q-‘:&mkt:_ajp
`hllpsflluqi'1.t:uLlJL)lL[.]tIU\due:-[.ju'iurk/dnilviltf
`bases-4 string.
`Victim email
`baSEt'A“de= =" decodes ll: -l-{sllhotmentcem
`
`
`Figure 2 — Sample Spearphishing Login Page And URL Path
`
`28.
`
`Thallium uses a variety of domain and subdomain themes to deceive victims into
`
`clicking or otherwise interacting with the domains. Some domains and subdomains have a
`
`webmail
`
`provider
`
`theme,
`
`such
`
`as
`
`“office356~us[.]org."
`
`“outlook.mail[.]info,”
`
`“maingoogle[.]com,” or “inbox-yahoo[.]com," while others mimic the victim‘s organizations.
`
`such as “unite.un.graphwin{.]com." “unite.office356-us[.]org,” or “naver.com-change[.]pw."
`
`The bulk of Thallium's domains however are generic but follow a pattern like "word-
`
`word[.]TLD,” such as "dialy—post[.]com.“ "day-post[.]com,” or “app-wallet[.]com.” Some such
`
`domains used by Thallium are associated with servers used to control the operation of malicious
`
`software ("malware") surreptitiously installed by Thallium on victim computers. For example,
`
`11
`
`
`
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 12 of 27 PageID# 12
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 12 of 27 PagelD# 12
`
`such domains may send commands to the malware or receive technical responses or stolen data
`
`from the malware. The domains also have the benefit of being inconspicuous so as not to attract
`
`attention from network administrators when they are reviewing network traffic logs. All of these
`
`types of domains may be referred to as “command and control domains” and the associated
`
`computer infrastructure may be referred to as “command and control infrastructure.”
`
`29.
`
`In addition, Thallium has developed a technique where a victim clicking on a
`
`malicious link in an email is first connected to the command and control infrastructure and is
`
`then re-directed to http://go.microsoft[.]com/, a legitimate Microsoft domain. This technique
`
`deceives and confuses victims into thinking the link is not compromised because the domain is
`
`Microsoft’s and incorporates Microsoft’s trademarks and branded material. Even though the
`
`victim is ultimately redirected to a Microsoft domain, Thallium first registers the victim’s access
`
`to the command and control infrastructure to further carry out the malicious activity described in
`
`this declaration. For example, Figure 3 below reflects that the malicious Thallium domain
`
`“seoulhobi[.]biz,” deceptively redirects the victim to a real Microsoft website containing
`
`Microsoft’s trademarks,
`
`in order to make a deceptive use of a legitimate Microsoft webpage,
`
`including the “Microsoft,” “Office,” “Windows,” “Surface,” “Xbox,” “HoloLens,” and “Azure”
`
`trademarks. The Thallium defendants carry out this technique in order to obfuscate their
`
`malicious activities. For example, researchers or other parties who are looking for malicious
`
`activities or accidentally browse to this domain may not understand that there is any malicious
`
`activity associated with it because it displays legitimate Microsoft content, which is actually
`
`displayed on a legitimate Microsoft website. Similarly, when the domain is being used for
`
`malicious purposes to target victims, the victim will be completely unaware of this fact because
`
`they are deceptively redirected to a legitimate Microsoft website that causes them to believe that
`
`the site is trustworthy, when in fact it is malicious and actively delivering malware.
`
`12
`
`
`
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 13 of 27 PageID# 13
`Document 1 Filed 12/18/19 Page 13 of 27 Page|D# 13
`Case 1:19-cv-01582—LO-JFA
`
`uhfiumgh
`
`:n. my.“
`
`-..--.- m.
`
`'4-4-
`
`For work
`
`
` Evelv no}?! 4&3flfly
`Dmre 3‘65
`
`
`
`
`
`Introducing Microsoft HaloLens 2
`l‘.-rl'-:l, ar,-..-. y.” m.
`FxPHNI muruu‘.
`
`WIndan-s 10 Enterprise
`[Ax-nar—"A—er. —. nflr- ’a'
`LNIUHO‘DM}U
`
`'n .,. up,
`
` ‘3’9
`
`i
`
`’.'
`,‘
`.[
`
`'
`
`7
`
`.
`
`*
`‘ i
`,
`’
`.
`
`7
`
`9::
`
`:-
`,
`
`I
`
`i!
`
`\
`
`$4
`a
`.
`‘7
`
`Get Visual Sludlu 1019
`pm U
`1mm; 5-H“, «hm.
`,- «ma
`
`ib‘llfliufl‘ MAI
`
`MIUnsoft Azure
`c.. ,_,
`-,-.-,—~.L.-; arr-1:151.- ..i--,;.
`mm..-
`dr-
`llllll I!!!“
`
`.w- w. 4
`
`
`
`mummy“
`
`
` $3
`
`
`
`Bundle and save up to 5425
`m; a {Imam Lamp 3 wm :mel Care a am: (19 your
`"30E! DI {NH-16r- Mobzir M1“! Jr‘d :Airfm‘n F’l'fl
`‘srlinP NOW
`
`Surface Book 2
`Slaw-0mm n- nrrlrmxnro n [he liq-maze mum:
`8H0!" NIIW
`
`
`
`Xbax One X
`In»: wmll‘f’. was]: E'J'u‘dE-‘Ui CJHSDiE
`SHOP NOW
`
`
`
`Mlcrnioft exclusive
`(m that wrrld \ 'iru «rein: keyhnm an“. Twp 'rr
`Knox OM: and Wlndw: “C3 CW) avaii ah 9 .Il NC'IruuR
`5hr», ('2? .1 limitml Mn:
`WWW
`
`Xbox One 5
`:M can: an n ams arvz Hflir'l‘rfm
`v-rn t-Jz n H -m H: sun,- m: H mm-
`“human
`
`HHIII‘ HOW
`
`
`
`Figure 3 — Fraudulent Use Of Microsoft Website And Trademarks
`
`30.
`
`Through research and investigation, Microsoft has determined that Thallium
`
`
`
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 14 of 27 PageID# 14
`Case 1:19-cv-01582-LO-JFA Do‘cument 1 Filed 12/18/19 Page 14 of 27 Page|D# 14
`
`currently uses the domains identified in Appendix A to this Complaint in its command and
`
`control infrastructure. The Thallium defendants sometimes disguise their command and control
`
`infrastructure by incorporating into the names of its command and control domains the names
`
`and trademarks of some well-known companies and organizations, including Microsoft, Google,
`
`Yahoo, and Naver (a South Korean online platform). As seen in Appendix A to this Complaint,
`
`Thallium has registered domains that contain Microsoft’s brands and trademarks as disguises.
`
`Thallium’s use of Microsoft brands and trademarks is meant to confuse Microsoft’s customers
`
`into clicking on malicious links that they believe are associated and owned by Microsoft. As
`
`noted above, by tricking victims into clicking on the fraudulent
`
`links and providing their
`
`credentials, the Thallium defendants are then able to log into the victim’s account. Additionally,
`
`the Thallium defendants can read sensitive and personal emails within the account, create new
`
`inbox rules
`
`including auto-forwarding, access the victim’s contact
`
`list,
`
`send additional
`
`spearphishing emails to the victim’s contacts, and hide traces of this malicious activity in the
`
`victim account by deleting emails. Customers expect Microsoft to provide safe and trustworthy
`
`products and services. There is a great risk that Microsoft’s customers, both individuals and the
`
`enterprises they work for, may incorrectly attribute these problems to Microsoft’s products and
`
`services, thereby diluting and tarnishing the value of these trademarks and brands.
`
`31.
`
`In addition to targeting user’s credentials, the Thallium defendants also utilize
`
`malware - the most
`
`common being
`
`indigenous
`
`implants named “BabyShark”
`
`and
`
`“KimJongRAT” — to compromise systems and steal data from victim systems. The Thallium
`
`defendants use misleading domains and Microsoft’s trademarks to cause victims to click on the
`
`links that result in installation of this malware on the victims’ computers. Once installed on a
`
`victim’s computer, this malware exfiltrates information from the victim computer, maintains a
`
`persistent presence on the victim computer, and waits for further instructions from the Thallium
`
`14
`
`
`
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 15 of 27 PageID# 15
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 15 of 27 PagelD# 15
`
`defendants.
`
`32.
`
`Samples of the KimJongRAT malware were observed dating back to 2010. The
`
`BabyShark malware is frequently sent to users as a malicious attachment to an email. The
`
`malware will drop a file with the file extension “.hta.” That file will then send a command that
`
`will beacon out to obtain an encoded script that is delivered back to the victim computer. The
`
`malware enables all future macros for Microsoft Word and Excel by adding the following
`
`registry keys taking away the user’s ability to disable macros:
`
` HKCU\Software\Microsoft\0ffice\14 . 0\Excel\Security\VBAWarnings, value: 1
`
`HKCU\Software\Microsoft\0ffice\15.0\Excel\Security\VBAWarnings,value:l
` HKCU\Software\Microsoft\Office\16.0\Excel\Security\VBAWarnings,value:l
` HKCU\Software\Microsoft\Office\14.0\WORD\Security\VBAWarnings,value:1
` HKCU\Software\Microsoft\Office\15.0\WORD\Security\VBAWarnings,value:l
`
` HKCU\Software\Microsoft\0ffice\l6.0\WORD\Security\VBAWarnings,value:1
`
`
`
`33.
`
`From there, details and information from the victim computer are saved to
`
`victim’s computer in the Windows operating system file: %appdata%\Microsoft\ttmp.log.
`
`These details from the victim computer in the ttmp.log are then, ultimately, sent to one of the
`
`command and control servers of the Thallium defendants. From there, the Thallium defendants
`
`can send additional instructions and commands to the victim’s computer, and can exfiltrate
`
`additional stolen information from that computer.
`
`By specifically targeting Microsoft’s
`
`Windows operating system and utilizing registry and file paths containing Microsoft’s
`
`trademarks,
`
`in order to deceive users and carry out
`
`the fraudulent scheme,
`
`the Thallium
`
`defendants infringe Microsoft’s trademarks and deceptively use those trademarks in the context
`
`of Microsoft’s Windows operating system.
`
`34.
`
`Figure 4 reflects the relationship between the Thallium command and control
`
`15
`
`
`
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 16 of 27 PageID# 16
`Case 1:19-cv-01582—LO-JFA Document 1 Filed 12/18/19 Page 16 of 27 Page|D# 16
`
`servers, associated with particular command and control domains. which interact with and
`
`receive information from computers infected with the BabyShark and KimJongRAT malware:
`
`a:
`“lasium Ddeniaau
`
`l
`
`l
`
`“uliumtbmfl‘rfl Ind Cnnlfnl SK!!!
`‘ ,. 7..
`.
`I
`5
`._ — \
`.
`,
`I
`‘
`.fi‘.‘
`
`3'
`Infacunn I
`
`Q
`II'IMBBI'I 2
`
`B
`Infechnfl 3
`
`Q
`(nun-inn -I
`
`E,
`Inlacn'un 5
`
`Q.
`Infamous
`
`E
`Woman 7
`
`Figure 4 — Thallium Command and Control Servers
`
`FIRST CLAIM FOR RELIEF
`
`Violation of the Computer Fraud & Abuse Act, 18 U.S.C. § 1030
`
`35.
`
`Microsoft
`
`incorporates by reference each and every allegation set
`
`forth in
`
`paragraphs 1 through 34 above.
`
`36.
`
`Defendants knowingly and intentionally accessed and continue to access
`
`protected computers without authorization and knowingly caused the transmission of a program,
`
`information. code and commands. resulting in damage to the protected computers. the software
`
`residing thereon, and Microsoft.
`
`37.
`
`Defendants” conduct involved interstate and/or foreign communications.
`
`16
`
`
`
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 17 of 27 PageID# 17
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 17 of 27 PagelD# 17
`
`38.
`
`Defendants’ conduct has caused a loss to Microsoft during a one-year period
`
`aggregating at least $5,000.
`
`39.
`
`Microsoft seeks injunctive relief and compensatory and punitive damages under
`
`18 U.S.C. §1030(g) in an amount to be proven at trial.
`
`40.
`
`As a direct result of Defendants’ actions, Microsoft has suffered and continues to
`
`suffer irreparable harm for which there is no adequate remedy at law, and which will continue
`
`unless Defendants’ actions are enjoined.
`
`SECOND CLAIM FOR RELIEF
`
`Violation of Electronic Communications Privacy Act, 18 U.S.C. § 2701
`
`41.
`
`Microsoft
`
`incorporates by reference each and every allegation set forth in
`
`paragraphs 1 through 40 above.
`
`42.
`
`Microsoft’s Windows operating system software, and Microsoft’s customers’
`
`computers running such software, and Microsoft’s cloud-based services, such as Hotmail,
`
`Outlook and Office 365, are facilities through which electronic communication service is
`
`provided to Microsoft’s users and customers.
`
`43.
`
`Defendants knowingly and intentionally accessed the Windows operating system
`
`and Microsoft’s Hotmail, Outlook and Office 365 software, services and computers upon which
`
`this software and services run without authorization or in excess of any authorization granted by
`
`Microsoft or any other party.
`
`44.
`
`Through this unauthorized access, Defendants intercepted, had access to, obtained
`
`and altered,
`
`and/or prevented legitimate,
`
`authorized access
`
`to, wire
`
`and electronic
`
`communications
`
`transmitted via Microsoft’s Windows operating system software
`
`and
`
`Microsoft’s Hotmail, Outlook and Office 365 services and the computers running such software
`
`and services.
`
`17
`
`
`
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 18 of 27 PageID# 18
`Case 1:19-cv-01582-LO-JFA Document 1 Filed 12/18/19 Page 18 of 27 Page|D# 18
`
`45.
`
`Microsoft seeks injunctive relief and compensatory and punitive damages in an
`
`amount to be proven at trial.
`
`46.
`
`As a direct result of Defendants’ actions, Microsoft has suffered and continues to
`
`suffer irreparable harm for which there is no adequate remedy at law, and which will continue
`
`unless Dcfendants’ actions are enjoined.
`
`THIRD CLAIM FOR RELIEF
`
`Trademark Infringement Under the Lanham Act — 15 U.S.C. § 1114 et seq.
`
`47.
`
`Microsoft
`
`incorporates by reference each and every allegation set forth in
`
`paragraphs 1 through 46 above.
`
`48.
`
`Defendants have used Microsoft’s trademarks in interstate commerce, including
`
`Microsoft’s federally registered trademarks for
`
`the word marks Microsoft®, Windows®,
`
`Hotmail®, Outlook®, MSN®, and Office365®, among other