A new offensive by Microsoft has been making inroads against the Russian government hackers behind last year’s election meddling, identifying over 120 new targets of the Kremlin’s cyber spying, and control-alt-deleting segments of Putin’s hacking apparatus.
How are they doing it? It turns out Microsoft has something even more formidable than Moscow’s malware: Lawyers.
Last year attorneys for the software maker quietly sued the hacker group known as Fancy Bear in a federal court outside Washington DC, accusing it of computer intrusion, cybersquatting, and infringing on Microsoft’s trademarks. The action, though, is not about dragging the hackers into court. The lawsuit is a tool for Microsoft to target what it calls “the most vulnerable point” in Fancy Bear’s espionage operations: the command-and-control servers the hackers use to covertly direct malware on victim computers. These servers can be thought of as the spymasters in Russia’s cyber espionage, waiting patiently for contact from their malware agents in the field, then issuing encrypted instructions and accepting stolen documents.
Since August, Microsoft has used the lawsuit to wrest control of 70 different command-and-control points from Fancy Bear. The company’s approach is indirect, but effective. Rather than getting physical custody of the servers, which Fancy Bear rents from data centers around the world, Microsoft has been taking over the Internet domain names that route to them. These are addresses like “livemicrosoft[.]net” or “rsshotmail[.]com” that Fancy Bear registers under aliases for about $10 each. Once under Microsoft’s control, the domains get redirected from Russia’s servers to the company’s, cutting off the hackers from their victims, and giving Microsoft a omniscient view of that servers’ network of automated spies.
“In other words,” Microsoft outside counsel Sten Jenson explained in a court filing last year, “any time an infected computer attempts to contact a command-and-control server through one of the domains, it will instead be connected to a Microsoft-controlled, secure server.”
Historically, Fancy Bear has mostly targeted Windows with its malware, and has leaned heavily on Microsoft products when choosing domain names—thus giving Microsoft standing in the lawsuit. On Friday, after months of litigation and thousands of pages of filings, a judge in Alexandria, Virginia is scheduled to hear Microsoft’s motion for a final default judgment and permanent injunction against Fancy Bear.
Also known as APT28, Sofacy, Pawn Strorm and Strontium—Microsoft’s preferred moniker—Fancy Bear has been conducting cyber espionage since at least 2007, breaching NATO, Obama’s White House, a French television station, the World Anti-Doping Agency and countless NGOs, and militaries and civilian agencies in Europe, Central Asia and the Caucasus. Fancy Bear’s most notorious intrusions targeted the Democratic National Committee and the Hillary Clinton campaign last year, as part of Moscow’s efforts to help Donald Trump win the White House, according to U.S. intelligence findings.
Microsoft doesn’t name Russia in its suit, instead describing Fancy Bear as a “sophisticated and well-resourced organization” that remains unidentified. But security companies and unclassified U.S. intelligence findings have placed Fancy Bear as a component of Russia’s military intelligence agency the GRU.
The offensive against Fancy Bear appears to be the first time a technology company has tried to directly disrupt a foreign intelligence operation on a large scale. In 2015, the Russia-based security firm Kaspersky sinkholed a dozen command-and-control domains used by the National Security Agency’s malware, but only after the NSA let the registration lapse, leaving the domains on the market for anyone who wanted them.
But Microsoft’s methods hew closely to earlier takedowns masterminded by the company’s Digital Crimes Unit in a string of operations targeting criminal botnets like Rustock , Waledac and Kelihos, with varying degrees of success and occasional controversy. In a 2013 operation, the company used the courts to sinkhole 4,000 command-and-control domains used by the bank-theft malware Citadel, but in the process hijacked hundreds of domains that already belonged to computer security researchers who’d been monitoring Citadel themselves.
The Fancy Bear takedown has a much smaller scope than the anti-botnet operations, and doesn’t affect all of the group’s malware—some of Russia’s hacking tools, like the X-Tunnel implant used against the Democratic National Party, connect to command-and-control servers using their numeric IP address instead of a domain name. But “the way that Microsoft is sinking their domains … increases Fancy Bear’s costs,” says Kyle Ehmke, a senior intelligence researcher at ThreatConnect who routinely sniffs out Fancy Bear’s secret servers. “Infrastructure procurement has an associated cost, and as researchers that’s something that we have to take advantage of and exploit. The more that they have to redo their infrastructure, the better.”
Microsoft’s Fancy Bear crackdown began one week after The New York Times reported the intelligence community’s “high confidence” assessment that the Kremlin had hacked the DNC. Microsoft filed a sealed motion seeking an emergency restraining order to temporarily seize 22 Fancy Bear domains, including the ActBlues[.]com address used in an attack on the Democratic Congressional Campaign Committee, and domains previously used in intrusion attempts on German energy firms.
U.S. District Judge Gerald Bruce Lee granted Microsoft’s request and issued a then-sealed order to domain name registrars compelling them to alter the domains to point to Microsoft, while leaving all the registration details—fake names and street addresses—intact. But almost as soon as Microsoft began sinkholing the domains, Fancy Bear responded, registering another batch of names that sent Microsoft back to court for a supplemental order to seize the new addresses.
The cat-and-mouse game has continued unabated ever since, with Microsoft painstakingly analyzing Fancy Bear’s choices of domain names, registrars and webmail providers, and even developing a list of 140 words most likely to appear in a Fancy Bear domain. To streamline the process, a retired judge has been appointed to serve as an independent “court monitor” overseeing the takedown requests. (Her expenses include $1,005 for “computer security”). By last March, Microsoft had been back five times for supplemental orders, and grabbed a total of 70 domains from the Russians.
Suing a shadowy hacker gang isn’t completely straightforward. After Fancy Bear missed its first court date in August, the judge granted Microsoft subpoena power, and the company launched a nine-month investigation into Fancy Bear’s identity that took it to domain registrars, webmail providers, hosting firms and payment processors around the world. After 52 subpoenas in the U.S., and 46 informal inquiries abroad, Microsoft ended up no closer to unmasking a Fancy Bear hacker. Payment records showed the domains were registered using BitCoin or disposable, pre-paid credit cards; server logs only traced the hackers as far as a Tor exit node.
With no real names or addresses to go by, Microsoft lawyers have been serving the hackers with legal papers over email, sending them to the disposable webmail accounts used to register the command-and-control domains. They’ve never gotten a reply, but a tracking bug the attorneys planted in the emails showed the messages have been opened at least 30 times.
So far the only response from the hackers has been to calmly register more command-and-control domains with every wave of takedowns. The one tip-of-the-hat from Fancy Bear came in January. In what Microsoft thinks was a deliberate taunt, the hackers departed from their usual pattern of inventing aliases off the cuff and used Microsoft’s own contact information and corporate address on one of its new domains.
Now, though, Putin’s hackers may be feeling less cocky. ThreatConnect’s Ehmke is planning to announce Friday another 60 possible Fancy Bear domain registrations he’s discovered through a new round of digital sleuthing. The domains, most registered since February, are more generic—i.e., less Microsofty—than usual for the hackers, which may suggest that Fancy Bear is starting to avoid its litigious foe.
“A lot of the domains that we identified are a little bit more general, and don’t necessarily reference a certain technology,” Ehmke says. “So that could be an attempt to avoid organizations like Microsoft that actively monitor for domains.”
Neither Microsoft nor Fancy Bear responded to inquiries for this story. But Microsoft concludes in court filings that its efforts have had “significant impact” on Fancy Bear’s operations. By analyzing the traffic coming to its sinkhole, the company’s security experts have identified 122 new cyber espionage victims, whom it’s been alerting through Internet service providers. On Friday, the company is set to ask Magistrate Judge Theresa Carroll Buchanan for a final default judgment against Fancy Bear, and for a permanent injunction giving Microsoft ownership of the domains it’s seized.
The company is hunkering down for a long fight. “Defendants are persistent in their activities and are likely to attempt to maintain, rebuild, and even grow, their capabilities again and again,” wrote attorney Jenson last month. As part of its motion, Microsoft is asking for the court monitor to stay on indefinitely, with the company paying the bill, and is seeking an order that prospectively seizes from Fancy Bear a number of other Microsoft-themed domains that have never been registered, but which the company’s algorithms suggest the Kremlin’s hackers may use in the future: infomicrosoftcenter[.]com, win-newsmail[.]com, statistic-security-microsoft[.]com …
The list contains nine thousand entries.