Can Microsoft lawyers defeat Putin’s most notorious spy-hackers?

Can Microsoft lawyers defeat Putin’s most notorious spy-hackers?

The courtroom tactic should at least slow Fancy Bear down

Russian’s spy-hackers have taken on almost a mythical status as more details have emerged about how they hacked the Democratic National Committee and the Clinton campaign and influenced the last presidential election.

The National Security Agency and the entire U.S. intelligence community seem to be a step behind them, and the worst may be yet to come.

And now comes an unlikely potential saviour: Microsoft’s lawyers. They’re using a combination of cyber-sleuthing and innovative legal filings to strike at one of Russia’s most dangerous cyber-espionage groups, Fancy Bear.

So far, the tactic is paying off. But it’s not clear that Microsoft can defeat the hackers in the long run.

To find the answer, let’s start by looking at the group Microsoft is zeroing in on. Fancy Bear, the most notorious and successful Russian cyber-espionage group, is believed to be tied to the Russian military spy agency, the GRU.

Also known also as APT28, Pawn Storm, Sofacy Group, Sednit and Strontium, Fancy Bear has been around since the mid-2000s, targeting government, military and security organizations rather than businesses. Profit doesn’t appear to be a motive behind its attacks.

Instead, it takes actions that help further the Russian government’s interests. Aside from hacking the DNC and the Clinton campaign, it has also gone after NATO, French presidential candidate (and eventual winner) Emmanuel Macron, the German parliament, the Obama White House and others.

Fancy Bear attacks typically use spearphishing emails, websites disguised as news sources that infect computers that visit them, and zero-day vulnerabilities.

Against these formidable tools, Microsoft has arrayed its lawyers, along with the company’s cyber expertise, according to an article written by hacking expert Kevin Poulson on the Daily Beast.

Last year, the company sued Fancy Bear in federal court for a number of things, including infringing on Microsoft’s trademarks and computer intrusions. (Microsoft used the name “Strontium” rather than “Fancy Bear” when describing the group in the suit.)

The goal wasn’t to get money from Fancy Bear, and Microsoft didn’t expect the court to be able to shut the hackers down.

Instead, it aimed at what the company called in its filing “the most vulnerable point” in Fancy Bear’s espionage scheme, the command-and-control servers that control malware that the group plants on victims’ computers. If those servers can be shut down, malware can’t do its snooping, and Fancy Bear gets stopped in its tracks.

Microsoft came up with a clever way of doing that. Fancy Bear rents servers from data centers in many places around the world, but they’re beyond Microsoft’s or the court’s reach.

So Microsoft asked the court to order that domain registrars turn over to Microsoft the trademark-infringing domains that the hackers use to route malware-related traffic to the servers. When Microsoft gets control of the domains, it redirects the traffic to its own servers.

That cuts the link between hackers and victims and foils the attacks. It also lets Microsoft spy on the spies and get a better understanding of how Fancy Bear’s attacks work.

Microsoft has cited multiple domain names owned by Fancy Bear that it said infringed on its copyrights, including,, and (Check out Microsoft’s filing for other domain names, and more details about Fancy Bear attacks.)

Microsoft has doggedly examined the domain names Fancy Bear uses and gone back to the court five times to ask for control of the domains. So far, it has gotten 70 domains from Fancy Bear and is looking for more.

Why has Fancy Bear gone out of its way to use domains with names that potentially infringe on Microsoft copyrights? It’s a way to try to outsmart IT network administrators into thinking the domains are owned by Microsoft and are therefore safe.

The Microsoft filing notes: “The command and control (‘C2’) domains used by Strontium are typically designed to avoid attracting attention if network administrators were to notice them when reviewing network traffic.”

Microsoft’s filings claims that it has already had a “significant impact” on Fancy Bear’s ability to do harm. By analyzing Fancy Bear traffic to the domains that Microsoft now controls, Microsoft also uncovered attacks on 122 unwitting Fancy Bear victims.

All this is to the good, but it’s unlikely Microsoft will manage to shut down Fancy Bear. There’s evidence that Fancy Bear is altering the way it works to avoid Microsoft’s malware-fighting techniques.

The security company ThreatConnect says Fancy Bear has begun registering domains for its command-and-control servers that are generic and don’t reference Microsoft in any way.

Still, Microsoft’s strategy will certainly slow down Fancy Bear and make it harder for it to operate. And enterprise IT can do its part as well to protect itself.

Organisations should check out Microsoft’s filing to see the kinds of names Fancy Bear servers use and the cyber-spying techniques it deploys. And they should carefully look at all their network traffic and not assume that a valid-sounding domain name is a safe one. That way, it won’t just be Microsoft fending off Fancy Bear and its brethren — enterprise IT can do the same.

This story originally appeared on Computerworld

Follow Us

Join the newsletter!

Error: Please check your email address.

Tags Microsoft



Reseller News welcomes industry figures for 2018 Hall of Fame lunch

Reseller News welcomes industry figures for 2018 Hall of Fame lunch

Reseller News welcomed 2017 inductees - Andrew Allan; Justin Tye and Mark Baker - to the second running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing landscape of the technology industry in New Zealand, while outlining ways to attract a new breed of players to the ecosystem.

Reseller News welcomes industry figures for 2018 Hall of Fame lunch
Reseller News launches Partner Marketing Workshop initiative

Reseller News launches Partner Marketing Workshop initiative

This Reseller News Partner Marketing Workshop provided a forum to discuss channel marketing in New Zealand, bringing together partners of all sizes to discuss the challenges and opportunities ahead.

Reseller News launches Partner Marketing Workshop initiative
Microsoft outlines future of modern workplace at Elevate 2018 in Auckland

Microsoft outlines future of modern workplace at Elevate 2018 in Auckland

A host of customers and partners descended on Shed 10 as Microsoft unveiled the future of the modern workplace in Auckland. Delivered through interactive sessions and thought-leader speakers, the tech giant showcased leading industry technologies to outline a roadmap for future channel success in New Zealand.

Microsoft outlines future of modern workplace at Elevate 2018 in Auckland
Show Comments