Skip to content
Naked Security Naked Security

Microsoft opens up a new front in the battle against Fancy Bear

Microsoft's lawyers have gone after the the hacking group's web domains - with some success

Can anyone – or anything – take on well-resourced nation state hacking groups?

Protected by anonymity and plausible deniability, conventional wisdom says not, but conventional wisdom ignores a company like Microsoft wielding a secret weapon with the power to hinder even the cleverest hacking group: lawyers.

This, it has emerged, is precisely how Microsoft has been fighting back against the notorious (and probably Russian) hacking group Strontium, better known to the world as Fancy Bear, or APT28.

After years of gradually worsening attacks on Windows PCs, in August 2016 the company’s Digital Crimes Unit (DCU) was handed the interesting task of suing the group in the US courts.

To cybersecurity engineers, this will sound a bit like throwing a sheaf of paper at a charging tiger, but court papers suggest the tactic has proved surprisingly effective, allowing Microsoft by March this year to have seized 70 web domains used by the group (including one used in the 2016 attacks on the Democratic National Committee).

The company also identified 122 new victims of Fancy Bear over and above an already long list that includes the German parliament, French TV, the World Anti-Doping Agency, and the Ukrainian military as well as, of course, the DNC during the US presidential elections.

It’s an interesting tactic. Instead of wrestling control of the servers themselves, Microsoft is taking the lateral approach of downing the domains associated with them, for example those used to host the phishing sites needed to grab credentials or for command & control (C&C).

The court papers also lay out a significant amount of information as to how Fancy Bears goes about its work, including “developing a list of 140 words most likely to appear in a Fancy Bear domain”.

As the Daily Beast points out, this is only a partial attack on Fancy Bear’s infrastructure, which also uses C&C operated via numeric IP addresses that must be blacklisted manually – but it’s a start.

Microsoft’s tactics shouldn’t be a surprise. In recent years, the company has launched several high-profile legal attacks or “takedowns” on large botnets, for example on Waledac in 2010, and Rustock in 2011, Citadel in 2013, and Ramnit in 2015.

Over time, cybersecurity companies and agencies such as the FBI have joined in, but the expensive legal legwork done by Microsoft’s DCU has been a noticeable engine of almost every effort.

So, has Microsoft discovered a weak point others could use to fight back against hacking groups? If only it were that simple.

The company’s legal assault has been noticed by Fancy Bears’ hackers, with a reported 30 emails sent to its domains confirmed to have been opened. The group has also taken to using Microsoft-themed domains when it registers new ones, a symptom of annoyance perhaps.

Or one could argue that Microsoft’s strategy underlines the inaction of governments, which persist in seeing nation state hackers as political problems rather than legal or engineering ones.

Microsoft is doing this because it has the resources, a DCU full of experts and the will to keep at it for years if necessary. In the old days, governments did this sort of big, important stuff. If governments could be coaxed out of their slumber, groups such as Fancy Bears might find hacking more like a job involving hard work.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!