Posted on March 28, 2019 at 12:42 PM
Microsoft has been secretly fighting against a hacker collective suspected to be financed by the Iranian government as shown by court documents unsealed yesterday.
Microsoft is best known for its Windows operating system but moving more into cloud services and always on connected services. It has been recently revealed by unsealed court documents to have been waging a secret war against hackers thought to be sponsored by the Iranian government.
The Redmond, Washington based tech giant filed and won a restraining order to take over 99 domains. These were used by the hacker collective known around the Dark Web and in prominent hacking circles as APT 35, Phosphorous, Charming Kitten and Ajax Security Team.
Domains used in spear-phishing campaigns
The domains were all part of an effort to gain login credentials of users across the United States and the world using a technique known as spear-phishing. APT35 registered domains with the names of well-known brands such as Microsoft and Yahoo and used those domains to create false login pages. This allowed the hacker group to gain the login credentials of journalists and academics in the United States, and around the entire world. This tactic is decades old and is still successful at getting users to give up their log-in information to this day. However, the login pages that the hackers used was also able to bypass 2 Factor Authentication. This is not something that is seen in less elegant, brute force phishing.
Microsoft gave a comment after the court ruling. They said that the domain registrars it worked with offered substantial support for transferring the domains. Once the court order had been finalized – not one registrar decided to fight the case.
Microsoft using government tricks to fight hackers
It is nothing new for a company to obtain court orders to gain domains that infringe on its copyrights and trademarks. It is, however, a new development that a company has used the same system to deal with hacking collective misusing official sounding domains to trick people. Tricking people into revealing sensitive information found on their computers.
This is something that United States government agencies have been doing for years. In particular, they use it to take control and command botnets from notorious hacking groups. This is the not first time that a private company has used some legal trickery to get domains.
In the summer of 2018, Microsft used similar arguments to take control of domains used by Russian hacker collective APT28, also known as Strontium and Fancy Bear. Microsoft’s Corporate President of Customer Security and Trust commented yesterday in a blog post. He said that they used similar tricks to gain control over 91 websites. Those all belonged to the hacking outfit that is thought to be connected to the Russian intelligence organization GRU.
Since this practice has only recently been used by a private company, industry insiders expect many more court battles. These battles for domains used by hackers is now likely to escalate due to a legal precedent being set. The main usage of this form of a restraining order was by government agencies. The most recent example being the FBI using the courts to take control of VPNFilter’s router malware in May of 2018. The US Department of Justice used the same tactic. They did it to take full control of the botnet called Joanap. Joanap is believed to be created by hackers sponsored by the government of North Korea.
Industry experts believe this new method of dealing with hackers is also a show of force by Microsoft. The company has long lagged behind in the cloud services sector due to focusing too much on its OS and Office package. This showing in the courts means good PR gains. They will be getting significant goodwill from both end users and corporate customers alike industry insiders agree.