Fancy Bear, aka APT 28, Sofacy or Strontium, is facing a tough adversary: Lawyers.
Specifically, Microsoft’s lawyers. The software giant has sued the Russian hacking group in US federal court, alleging trademark infringement, among other grievances—and using the lawsuit to dismantle big swathes of Fancy Bear's infrastructure.
According to the pleading:
“Microsoft alleges that defendants have violated Federal and state law by hosting a cybercriminal operation through these internet domains, causing unlawful intrusion into Microsoft and Microsoft’s customers’ computers and computing devices; and intellectual property violations to the injury of Microsoft and Microsoft's customers. Microsoft seeks a preliminary injunction directing the registries associated with these Internet domains to take all steps necessary to disable access to and operation of these Internet domains to ensure that changes or access to the Internet domains cannot be made absent a court order and that all content and material associated with these Internet domains are to be isolated and preserved pending resolution of the dispute. Microsoft seeks a permanent injunction, other equitable relief and damages.”
The Fancy Bear gang, believed to be behind the hack on the US Democratic National Committee (DNC), has been engaged in criminal activity since at least 2004 and has developed sophisticated attacks that bypass the typical network security at compromised organizations. In addition to the DNC and other US political victims, targets have included embassies in South America, the Middle East, Africa and Asia, Ministries of Defense in Europe and Asia, NATO, the World Anti-Doping Agency, Ukrainian political leaders, Russian political dissidents and members of Russia’s People’s Freedom Party.
Using phishing attacks and zero-day exploits, the group has gained access to a plethora of confidential information. Fancy Bear also has created legions of custom programs, backdoors, bootkits and rootkits to assist it in its spying.
At the heart of the lawsuit is the fact that the group often registers fake Microsoft domains (with names like livemicrosoft.com), from which it communicates with victims and C&C servers. With preliminary injunctions behind it from the lawsuit, Microsoft has set about reclaiming the use of its name and product trademarks in these domains, redirecting traffic from the servers that Fancy Bear rents to its own infrastructure.
“In other words,” Microsoft outside counsel Sten Jenson explained in a court filing, “any time an infected computer attempts to contact a command-and-control server through one of the domains, it will instead be connected to a Microsoft-controlled, secure server.”
So far, it has sinkholed 70 different rogue addresses.
The litigation stretches back to last summer, initiated right after the White House said it had high confidence that the Kremlin was behind the DNC hack. A judge in Alexandria, Va. is now scheduled to issue a final decision in the case. Microsoft has asked for final default judgment and permanent injunction against Fancy Bear.