Menu
Can Microsoft lawyers defeat Putin’s most notorious spy-hackers?

Can Microsoft lawyers defeat Putin’s most notorious spy-hackers?

The courtroom tactic should at least slow Fancy Bear down

Russian’s spy-hackers have taken on almost a mythical status as more details have emerged about how they hacked the Democratic National Committee and the Clinton campaign and influenced the last presidential election.

The National Security Agency and the entire U.S. intelligence community seem to be a step behind them, and the worst may be yet to come.

And now comes an unlikely potential saviour: Microsoft’s lawyers. They’re using a combination of cyber-sleuthing and innovative legal filings to strike at one of Russia’s most dangerous cyber-espionage groups, Fancy Bear.

So far, the tactic is paying off. But it’s not clear that Microsoft can defeat the hackers in the long run.

To find the answer, let’s start by looking at the group Microsoft is zeroing in on. Fancy Bear, the most notorious and successful Russian cyber-espionage group, is believed to be tied to the Russian military spy agency, the GRU.

Also known also as APT28, Pawn Storm, Sofacy Group, Sednit and Strontium, Fancy Bear has been around since the mid-2000s, targeting government, military and security organizations rather than businesses. Profit doesn’t appear to be a motive behind its attacks.

Instead, it takes actions that help further the Russian government’s interests. Aside from hacking the DNC and the Clinton campaign, it has also gone after NATO, French presidential candidate (and eventual winner) Emmanuel Macron, the German parliament, the Obama White House and others.

Fancy Bear attacks typically use spearphishing emails, websites disguised as news sources that infect computers that visit them, and zero-day vulnerabilities.

Against these formidable tools, Microsoft has arrayed its lawyers, along with the company’s cyber expertise, according to an article written by hacking expert Kevin Poulson on the Daily Beast.

Last year, the company sued Fancy Bear in federal court for a number of things, including infringing on Microsoft’s trademarks and computer intrusions. (Microsoft used the name “Strontium” rather than “Fancy Bear” when describing the group in the suit.)

The goal wasn’t to get money from Fancy Bear, and Microsoft didn’t expect the court to be able to shut the hackers down.

Instead, it aimed at what the company called in its filing “the most vulnerable point” in Fancy Bear’s espionage scheme, the command-and-control servers that control malware that the group plants on victims’ computers. If those servers can be shut down, malware can’t do its snooping, and Fancy Bear gets stopped in its tracks.

Microsoft came up with a clever way of doing that. Fancy Bear rents servers from data centers in many places around the world, but they’re beyond Microsoft’s or the court’s reach.

So Microsoft asked the court to order that domain registrars turn over to Microsoft the trademark-infringing domains that the hackers use to route malware-related traffic to the servers. When Microsoft gets control of the domains, it redirects the traffic to its own servers.

That cuts the link between hackers and victims and foils the attacks. It also lets Microsoft spy on the spies and get a better understanding of how Fancy Bear’s attacks work.

Microsoft has cited multiple domain names owned by Fancy Bear that it said infringed on its copyrights, including onedrivemicrosoft.com, outlook-security.org, rsshotmail.com and Microsoftsecurepolicy.org. (Check out Microsoft’s filing for other domain names, and more details about Fancy Bear attacks.)

Microsoft has doggedly examined the domain names Fancy Bear uses and gone back to the court five times to ask for control of the domains. So far, it has gotten 70 domains from Fancy Bear and is looking for more.

Why has Fancy Bear gone out of its way to use domains with names that potentially infringe on Microsoft copyrights? It’s a way to try to outsmart IT network administrators into thinking the domains are owned by Microsoft and are therefore safe.

The Microsoft filing notes: “The command and control (‘C2’) domains used by Strontium are typically designed to avoid attracting attention if network administrators were to notice them when reviewing network traffic.”

Microsoft’s filings claims that it has already had a “significant impact” on Fancy Bear’s ability to do harm. By analyzing Fancy Bear traffic to the domains that Microsoft now controls, Microsoft also uncovered attacks on 122 unwitting Fancy Bear victims.

All this is to the good, but it’s unlikely Microsoft will manage to shut down Fancy Bear. There’s evidence that Fancy Bear is altering the way it works to avoid Microsoft’s malware-fighting techniques.

The security company ThreatConnect says Fancy Bear has begun registering domains for its command-and-control servers that are generic and don’t reference Microsoft in any way.

Still, Microsoft’s strategy will certainly slow down Fancy Bear and make it harder for it to operate. And enterprise IT can do its part as well to protect itself.

Organisations should check out Microsoft’s filing to see the kinds of names Fancy Bear servers use and the cyber-spying techniques it deploys. And they should carefully look at all their network traffic and not assume that a valid-sounding domain name is a safe one. That way, it won’t just be Microsoft fending off Fancy Bear and its brethren — enterprise IT can do the same.

This story originally appeared on Computerworld


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoft

Featured

Slideshows

Reseller News kicks off awards season in 2019 with Judges' Lunch

Reseller News kicks off awards season in 2019 with Judges' Lunch

The 2019 Reseller News Innovation Awards has kicked off with the Judges Lunch in Auckland with 70 judges in the voting panel. The awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors. Photos by Christine Wong.

Reseller News kicks off awards season in 2019 with Judges' Lunch
Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomed 2018 inductees - Chris Simpson, Kendra Ross and Phill Patton - to the third running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing landscape of the technology industry in New Zealand, while outlining ways to attract a new breed of players to the ecosystem. Photos by Gino Demeer.

Reseller News welcomes industry figures for 2019 Hall of Fame lunch
Upcoming tech talent share insights at inaugural Emerging Leaders Forum 2019

Upcoming tech talent share insights at inaugural Emerging Leaders Forum 2019

The channel came together for the inaugural Reseller News Emerging Leaders Forum in New Zealand, created to provide a program that identifies, educates and showcases the upcoming talent of the ICT industry. Hosted as a half day event, attendees heard from industry champions as keynoters and panelists talked about future opportunities and leadership paths and joined mentoring sessions with members of the ICT industry Hall of Fame. The forum concluded with 30 Under 30 Tech Awards across areas of Sales, Entrepreneur, Marketing, Management, Technical and Human Resources. Photos by Gino Demeer.

Upcoming tech talent share insights at inaugural Emerging Leaders Forum 2019
Show Comments