Russian’s spy-hackers have taken on almost a mythical status as more details have emerged about how they hacked the Democratic National Committee and the Clinton campaign and influenced the last presidential election. The National Security Agency and the entire U.S. intelligence community seem to be a step behind them, and the worst may be yet to come.
And now comes an unlikely potential savior: Microsoft’s lawyers. They’re using a combination of cyber-sleuthing and innovative legal filings to strike at one of Russia’s most dangerous cyber-espionage groups, Fancy Bear. So far, the tactic is paying off. But it’s not clear that Microsoft can defeat the hackers in the long run.
To find the answer, let’s start by looking at the group Microsoft is zeroing in on. Fancy Bear, the most notorious and successful Russian cyber-espionage group, is believed to be tied to the Russian military spy agency, the GRU. Also known also as APT28, Pawn Storm, Sofacy Group, Sednit and Strontium, Fancy Bear has been around since the mid-2000s, targeting government, military and security organizations rather than businesses. Profit doesn’t appear to be a motive behind its attacks. Instead, it takes actions that help further the Russian government’s interests. Aside from hacking the DNC and the Clinton campaign, it has also gone after NATO, French presidential candidate (and eventual winner) Emmanuel Macron, the German parliament, the Obama White House and others.
Fancy Bear attacks typically use spearphishing emails, websites disguised as news sources that infect computers that visit them, and zero-day vulnerabilities. Against these formidable tools, Microsoft has arrayed its lawyers, along with the company’s cyber expertise, according to an article written by hacking expert Kevin Poulson on the Daily Beast. Last year, the company sued Fancy Bear in federal court for a number of things, including infringing on Microsoft’s trademarks and computer intrusions. (Microsoft used the name “Strontium” rather than “Fancy Bear” when describing the group in the suit.) The goal wasn’t to get money from Fancy Bear, and Microsoft didn’t expect the court to be able to shut the hackers down. Instead, it aimed at what the company called in its filing “the most vulnerable point” in Fancy Bear’s espionage scheme, the command-and-control servers that control malware that the group plants on victims’ computers. If those servers can be shut down, malware can’t do its snooping, and Fancy Bear gets stopped in its tracks.
Microsoft came up with a clever way of doing that. Fancy Bear rents servers from data centers in many places around the world, but they’re beyond Microsoft’s or the court’s reach. So Microsoft asked the court to order that domain registrars turn over to Microsoft the trademark-infringing domains that the hackers use to route malware-related traffic to the servers. When Microsoft gets control of the domains, it redirects the traffic to its own servers. That cuts the link between hackers and victims and foils the attacks. It also lets Microsoft spy on the spies and get a better understanding of how Fancy Bear’s attacks work.
Microsoft has cited multiple domain names owned by Fancy Bear that it said infringed on its copyrights, including onedrivemicrosoft.com, outlook-security.org, rsshotmail.com and Microsoftsecurepolicy.org. (Check out Microsoft’s filing for other domain names, and more details about Fancy Bear attacks.)
Microsoft has doggedly examined the domain names Fancy Bear uses and gone back to the court five times to ask for control of the domains. So far, it has gotten 70 domains from Fancy Bear and is looking for more.
Why has Fancy Bear gone out of its way to use domains with names that potentially infringe on Microsoft copyrights? It’s a way to try to outsmart IT network administrators into thinking the domains are owned by Microsoft and are therefore safe. The Microsoft filing notes: “The command and control (‘C2’) domains used by Strontium are typically designed to avoid attracting attention if network administrators were to notice them when reviewing network traffic.”
Microsoft’s filings claims that it has already had a “significant impact” on Fancy Bear’s ability to do harm. By analyzing Fancy Bear traffic to the domains that Microsoft now controls, Microsoft also uncovered attacks on 122 unwitting Fancy Bear victims.
All this is to the good, but it’s unlikely Microsoft will manage to shut down Fancy Bear. There’s evidence that Fancy Bear is altering the way it works to avoid Microsoft’s malware-fighting techniques. The security company ThreatConnect says Fancy Bear has begun registering domains for its command-and-control servers that are generic and don’t reference Microsoft in any way.
Still, Microsoft’s strategy will certainly slow down Fancy Bear and make it harder for it to operate. And enterprise IT can do its part as well to protect itself. Organizations should check out Microsoft’s filing to see the kinds of names Fancy Bear servers use and the cyber-spying techniques it deploys. And they should carefully look at all their network traffic and not assume that a valid-sounding domain name is a safe one. That way, it won’t just be Microsoft fending off Fancy Bear and its brethren — enterprise IT can do the same.