igor - Fotolia
Fancy Bear C&C servers taken down by Microsoft lawsuit
Experts applaud Microsoft for clever use of a lawsuit to claim command and control server domains used by malicious Russian APT group Fancy Bear.
Cybersecurity isn't always a battle between hackers and IT pros as Microsoft showed with a lawsuit to gain control of malicious domains.
Microsoft first filed the lawsuit in August 2016 seeking a permanent injunction allowing the company to "to disable access to and operation of these internet domains," which are associated with malicious activity by the Russian advanced persistent threat (APT) group Fancy Bear. The Russian APT -- also known as APT28, Sofacy, Pawn Storm and Strontium -- is most well-known for its ties to the hack of the Democratic National Committee.
According to the court filing, Microsoft wanted to take control of the command and control (C&C) servers so that "any time an infected computer attempts to contact a command and control server through one of the domains, it will instead be connected to a Microsoft-controlled, secure server."
Sten Jenson, Microsoft outside counsel, wrote in the filing, "[Fancy Bear's] use of Microsoft's trademarks is meant to confuse Microsoft's customers into opening documents or clicking on links that will result in not only their computers being infected, but will open the door to a major exploit of their networks and theft of their most sensitive information."
Jason Kichen, director of cybersecurity services at Versive Inc., said the use of domains designed to appear legitimate would have a number of uses for Fancy Bear.
"There's many reasons to use Microsoft related domains, infrastructure or IPs [addresses]. The overriding reason is that Microsoft and anything associated with it is generally trusted by users," Kichen said. "This might be a logon page that looks like a Microsoft page, or an IP address and server hosted on Microsoft cloud infrastructure."
Richard Goldberg, principal and litigator at the law firm Goldberg & Clements in Washington, D.C., said the key to this operation is that there is "little to no chance the Fancy Bear operators who own the domain names in question will respond in court.
"For that reason, Microsoft's applications for restraining orders and even requests for judgment are likely to remain unopposed," Goldberg said. "Therefore, once it becomes clear that no one will respond to the suit, Microsoft will likely be able to obtain a default judgment."
Richard Goldbergprincipal and litigator, Goldberg & Clements
Potential issues from the lawsuit
In August, the court granted a temporary restraining order against the Russian APT group and gave Microsoft control of 70 C&C domains, but Microsoft wanted a default judgment and permanent injunction, because Fancy Bear ignored the order and continued using new C&C domains. The United States district court for the eastern district of Virginia heard Microsoft's motion for final judgment on June 21, 2017, but had not made a ruling as of this post.
Goldberg said Microsoft had used similar lawsuits in the past regarding the Zeus botnets, and overall Microsoft has been "smartly judicious" in using lawsuits, but saw potential issues.
"What is relatively new here is that Microsoft is requesting that the final order put a judge in a permanent position to approve subsequent seizure orders -- and if news reports are correct, the company is offering to foot the bill," Goldberg said. "Again, I expect this may concern some in the security and legal communities. Will there be sufficient oversight by technically savvy judges, or will orders essentially be rubber stamped?"
Kichen said as interesting as these lawsuit against Fancy Bear may be, "organizations still need to be on guard against these same adversaries day in and day out, because attackers always adapt and find new vectors to operate.
"Obtaining and using clandestine and/or covert infrastructure is very hard to do at scale, and for a sophisticated adversary like Fancy Bear, efforts like this certainly won't stop their activity, but it will make it markedly harder for them to maintain a similar operational pace and quality," Kichen said. "Having to acquire and set up and run new infrastructure based on anything other than your own operational decisions causes at least some amount of impact on ongoing operations. Not only does every little bit of impact help, but I suspect that the impact here is more significant."
Lamar Bailey, senior director of security research at Tripwire, said, "Taking command and control servers out of the hands of known bad actors is always a good thing." But he questioned if law enforcement should be using these domains to investigate Fancy Bear.
"It is common for command and control servers that are used to deploy, update and harvest data from malware to change hands, but this generally happens between groups of bad actors sometimes by barter or sale and other times by force. We have seen law enforcement and government agencies successfully coordinate across international lines to take down and control these servers, too, with some success," Bailey said. "This new trend where public companies are suing to gain access to the servers is a little more concerning."
He continued, "What rules will a public company be under to secure and protect data they gleam from the servers? Are they required to protect the data since it is not from any of their products or offerings? Are they going to inform the infected users that they are infected? Can the data be used for marketing or other company business? There are lots of questions here."