Microsoft Sues Fancy Bear

Microsoft has devised a new and effective angle to fight back against Fancy Bear, the cyberespionage group accused of hacking of the Democratic National Committee in 2016. Microsoft sued them.  

In a civil action law suit dated August 6, 2016, Microsoft sued the John Does associated with the APT known as Strontium. Strontium, also known as Fancy Bear, Sofacy, and APT 28, is thought to be associated with the Russian Military Intelligence agency GRU.

Microsoft was able to bring about this lawsuit because, as described in a The Hacker News article, “instead of registering generic domains for its cyber espionage operations, Fancy Bear often picked domain names that look-alike Microsoft products and services, such as livemicrosoft[.]net and rsshotmail[.]com, in order to carry out its hacking and cyber espionage campaigns.” Microsoft sued to gain control of 70 command-and-control points that use domain names related to Microsoft, and they were granted that control.

In a preliminary injunction order dated August 12, 2016, the United States District Court for the Eastern District of Virginia, Alexandria Division ordered that “The domains shall be redirected to secure servers by changing the authoritative name servers… and, as may be necessary, the IP addresses associated with the name server or taking other reasonable steps to work with Microsoft to ensure the redirection of the domains and to ensure that Defendants cannot use them to make unauthorized access to computers, infect computers, compromise computers and computer networks, or steal information from them.”

Kevin Poulsen, in a Daily Beast article, writes “rather than getting physical custody of the servers, which Fancy Bear rents from data centers around the world, Microsoft has been taking over the Internet domain names that route to them…. Once under Microsoft’s control, the domains get redirected from Russia’s servers to the company’s, cutting off the hackers from their victims, and giving Microsoft a omniscient view of that servers’ network of automated spies.”

Generally, tech companies have allowed federal law enforcement agencies take the lead when dealing with possible nation-state threat actors, especially when the intrusions relate to sensitive events like a US presidential election. Microsoft seems to have found a novel way of legally hacking back by using the US court system to gain control of the domains and the data associated with the  Strontium/Fancy Bear counterespionage attacks.

Sources:

Notice of Pleadings.com, http://www.noticeofpleadings.com/strontium/

http://noticeofpleadings.com/strontium/files/prelim_inj_order.pdf

The Hacker News, How Microsoft Cleverly Cracks Down On “Fancy Bear” Hacking Group

Daily Beast, Putin’s Hackers Now Under Attack—From Microsoft