{"id":8516,"date":"2017-07-31T08:30:43","date_gmt":"2017-07-31T16:30:43","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/07\/31\/news-2290\/"},"modified":"2017-07-31T08:30:43","modified_gmt":"2017-07-31T16:30:43","slug":"news-2290","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/07\/31\/news-2290\/","title":{"rendered":"Can Microsoft lawyers defeat Putin\u2019s most notorious spy-hackers?"},"content":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/zapt4.staticworld.net\/images\/article\/2015\/09\/lawsuit-judge-law-court-decision-sued-gavel-100614064-primary.idge.jpg\"\/><\/p>\n<p><strong>Credit to Author: Preston Gralla| Date: Mon, 31 Jul 2017 07:53:00 -0700<\/strong><\/p>\n<p>Russian\u2019s spy-hackers have taken on almost a mythical status as more details have emerged about how they hacked the Democratic National Committee and the Clinton campaign and influenced the last presidential election. The National Security Agency and the entire U.S. intelligence community seem to be a step behind them, and the worst may be yet to come.<\/p>\n<p>And now comes an unlikely potential savior: Microsoft\u2019s lawyers. They\u2019re using a combination of cyber-sleuthing and innovative legal filings to strike at one of Russia\u2019s most dangerous cyber-espionage groups, Fancy Bear. So far, the tactic is paying off. But it\u2019s not clear that Microsoft can defeat the hackers in the long run.<\/p>\n<p>To find the answer, let\u2019s start by looking at the group Microsoft is zeroing in on. Fancy Bear, the most notorious and successful Russian cyber-espionage group, is believed to be tied to the Russian military spy agency, the GRU. Also known also as APT28, Pawn Storm, Sofacy Group, Sednit and Strontium, Fancy Bear has been around since the mid-2000s, targeting government, military and security organizations rather than businesses. Profit doesn\u2019t appear to be a motive behind its attacks. Instead, it takes actions that help further the Russian government\u2019s interests. Aside from hacking the DNC and the Clinton campaign, it has also gone after NATO, French presidential candidate (and eventual winner) Emmanuel Macron, the German parliament, the Obama White House and others.<\/p>\n<p>Fancy Bear attacks typically use spearphishing emails, websites disguised as news sources that infect computers that visit them, and zero-day vulnerabilities. Against these formidable tools, Microsoft has arrayed its lawyers, along with the company\u2019s cyber expertise, according to <a href=\"http:\/\/www.thedailybeast.com\/microsoft-pushes-to-take-over-russian-spies-network\">an article written by hacking expert Kevin Poulson<\/a> on the Daily Beast. Last year, the company sued Fancy Bear in federal court for a number of things, including infringing on Microsoft\u2019s trademarks and computer intrusions. (Microsoft used the name \u201cStrontium\u201d rather than \u201cFancy Bear\u201d when describing the group in the suit.) The goal wasn\u2019t to get money from Fancy Bear, and Microsoft didn\u2019t expect the court to be able to shut the hackers down. Instead, it aimed at what the company called in its filing \u201cthe most vulnerable point\u201d in Fancy Bear\u2019s espionage scheme, the command-and-control servers that control malware that the group plants on victims\u2019 computers. If those servers can be shut down, malware can\u2019t do its snooping, and Fancy Bear gets stopped in its tracks.<\/p>\n<p>Microsoft came up with a clever way of doing that. Fancy Bear rents servers from data centers in many places around the world, but they\u2019re beyond Microsoft\u2019s or the court\u2019s reach. So Microsoft asked the court to order that domain registrars turn over to Microsoft the trademark-infringing domains that the hackers use to route malware-related traffic to the servers. When Microsoft gets control of the domains, it redirects the traffic to its own servers. That cuts the link between hackers and victims and foils the attacks. It also lets Microsoft spy on the spies and get a better understanding of how Fancy Bear\u2019s attacks work.<\/p>\n<p>Microsoft has cited multiple domain names owned by Fancy Bear that it said infringed on its copyrights, including onedrivemicrosoft.com, outlook-security.org, rsshotmail.com and Microsoftsecurepolicy.org. (Check out <a href=\"http:\/\/noticeofpleadings.com\/strontium\/files\/cmplt.pdf\">Microsoft\u2019s filing<\/a> for other domain names, and more details about Fancy Bear attacks.)<\/p>\n<p>Microsoft has doggedly examined the domain names Fancy Bear uses and gone back to the court five times to ask for control of the domains. So far, it has gotten 70 domains from Fancy Bear and is looking for more.<\/p>\n<p>Why has Fancy Bear gone out of its way to use domains with names that potentially infringe on Microsoft copyrights? It\u2019s a way to try to outsmart IT network administrators into thinking the domains are owned by Microsoft and are therefore safe. The Microsoft filing notes: \u201cThe command and control (\u2018C2\u2019) domains used by Strontium are typically designed to avoid attracting attention if network administrators were to notice them when reviewing network traffic.\u201d<\/p>\n<p><a href=\"http:\/\/www.noticeofpleadings.com\/strontium\/\">Microsoft\u2019s filings claims<\/a> that it has already had a \u201csignificant impact\u201d on Fancy Bear\u2019s ability to do harm. By analyzing Fancy Bear traffic to the domains that Microsoft now controls, Microsoft also uncovered attacks on 122 unwitting Fancy Bear victims.<\/p>\n<p>All this is to the good, but it\u2019s unlikely Microsoft will manage to shut down Fancy Bear. There\u2019s evidence that Fancy Bear is altering the way it works to avoid Microsoft\u2019s malware-fighting techniques. The security company ThreatConnect says Fancy Bear has begun registering domains for its command-and-control servers that are generic and don\u2019t reference Microsoft in any way.<\/p>\n<p>Still, Microsoft\u2019s strategy will certainly slow down Fancy Bear and make it harder for it to operate. And enterprise IT can do its part as well to protect itself. Organizations should check out <a href=\"http:\/\/noticeofpleadings.com\/strontium\/files\/cmplt.pdf\">Microsoft\u2019s filing<\/a> to see the kinds of names Fancy Bear servers use and the cyber-spying techniques it deploys. And they should carefully look at all their network traffic and not assume that a valid-sounding domain name is a safe one. That way, it won\u2019t just be Microsoft fending off Fancy Bear and its brethren \u2014 enterprise IT can do the same.<\/p>\n<p><a href=\"http:\/\/www.computerworld.com\/article\/3211351\/hacking\/can-microsoft-lawyers-defeat-putin-s-most-notorious-spy-hackers.html#tk.rss_security\" target=\"bwo\" >http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/zapt4.staticworld.net\/images\/article\/2015\/09\/lawsuit-judge-law-court-decision-sued-gavel-100614064-primary.idge.jpg\"\/><\/p>\n<p><strong>Credit to Author: Preston Gralla| Date: Mon, 31 Jul 2017 07:53:00 -0700<\/strong><\/p>\n<article>\n<section class=\"page\">\n<p>Russian\u2019s spy-hackers have taken on almost a mythical status as more details have emerged about how they hacked the Democratic National Committee and the Clinton campaign and influenced the last presidential election. The National Security Agency and the entire U.S. intelligence community seem to be a step behind them, and the worst may be yet to come.<\/p>\n<p>And now comes an unlikely potential savior: Microsoft\u2019s lawyers. They\u2019re using a combination of cyber-sleuthing and innovative legal filings to strike at one of Russia\u2019s most dangerous cyber-espionage groups, Fancy Bear. So far, the tactic is paying off. But it\u2019s not clear that Microsoft can defeat the hackers in the long run.<\/p>\n<p class=\"jumpTag\"><a href=\"\/article\/3211351\/hacking\/can-microsoft-lawyers-defeat-putin-s-most-notorious-spy-hackers.html#jump\">To read this article in full or to leave a comment, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[11796,714],"class_list":["post-8516","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-cyber-crime","tag-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8516","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8516"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8516\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8516"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8516"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8516"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}