Security Free Reuse

Microsoft has been making significant progress against Fancy Bear, the group of Russian hackers thought responsible for the DNC hack last year. However, rather than its counter security experts, the software giant has used another of its significant resources – lawyers.

Last year, the company sued Fancy Bear in a federal court outside DC on the grounds of trademark infringement, computer intrusion, and cybersquatting. The quiet case has now made it into the public eye, as have Microsoft’s motivations.

The Most Vulnerable Point

The Redmond giant is going for blood, attacking Fancy Bear’s “most vulnerable point”. The calculated move is intended not to drag its members into court, but instead grab its command-and-control points.

These servers are used to direct the malware on victim’s PCs, waiting for contact from malware agents and accepting encrypted files. Rather than targeting the physical locations, Microsoft has seized control of 70 domains that route to them.

Once it has domains like “livemicrosoft.net” under its belt, the company can change any links from Russia’s servers to its own. Through this redirection method, it can get a comprehensive overview of Fancy Bear’s victims.

Though some of Fancy Bear’s malware uses direct IP addresses rather than domains, researchers expect a significant affect. Speaking to The Daily Beast, ThreatConnect researcher Kyle Ehmke said:

“The way that Microsoft is sinking their domains … increases Fancy Bear’s costs. Infrastructure procurement has an associated cost, and as researchers, that’s something that we have to take advantage of and exploit. The more that they have to redo their infrastructure, the better.”

It’s been no easy task, including 52 subpoenas, 46 informal inquiries abroad, and domains almost untraceable thanks to Bitcoin and Tor. As a result, Microsoft has been forced to send the legal papers to the group’s disposable webmail accounts, a tracking bug revealing they’ve been opened over 30 times.

However, the only response from Fancy Bear has been to register new domains. This time, they’ve done away with the naming conventions discovered by Microsoft, but are seemingly taunting the company by using its contact information for the domains.

In total, Microsoft has found 122 new victims, and doesn’t seem to be giving up anytime soon. It’s seeking approval to seize 9000 domains that its algorithms say Fancy Bear will register next.