The case was before the U.S. District Court of Virginia, which ruled Fancybear can no longer send malicious content to Microsoft. Hackers from the group are also banned from sending infections to Microsoft customers.
As you may suspect, there is nothing US law can do to stop Fancybear. The hackers could still continue to attack Microsoft and its customers. So, perhaps the ruling is pointless? Not quite, the result is not completely without merit as it gives Microsoft some power to stop attacks from Fancybear.
Because of this decision, Redmond can take domains owned by the group. These domains are used to target malicious content, but Microsoft will now be able to control them. The company will remove these domains, which usually include Microsoft trademarks, such as microsoftinfo365.com.
So, in reality, the court ruling was a trademark case, but it could show a way for companies to take control over sites used by hackers.
“Granting Microsoft possession of these domains will enable Microsoft to channel all communications to those domains to secure servers, thereby cutting off the means by which the Strontium defendants communicate with the infected computers,” Jason Norton, a threat intelligence manager at Microsoft, wrote when the filing was made last year.
“In other words, any time an infected computer attempts to contact a command and control server through one of the domains, it will instead be connected to a Microsoft-controlled, secure server.
While it is not possible to rule out the possibility that the Strontium defendants could use fallback mechanisms to evade the requested relief, redirecting this core subset of Strontium domains will directly disrupt current Strontium infrastructure, mitigating risk and injury to Microsoft and its customers.”
Microsoft says there are over a thousand malicious domains used by Fancybear. Since the ruling, the company has already taken control of 70 of those domains and will continue to do so. As expected, Fancybear did not participate in the case and the court decision was by default.