Can’t hack it: US court orders hackers to leave Microsoft computers & trademarks alone

24 Aug, 2017 00:09 / Updated 7 years ago

An alleged Russian hacking group has been permanently banned from hacking Microsoft computers or using their trademarks, after Microsoft won a major US court victory. Now the tech giant is legally entitled to “command and control” the hackers’ domains.

On Tuesday, US District Judge Gerald Bruce Lee ruled in favor of Microsoft in a lawsuit against the hacking group known as “Fancy Bears,” also referred to as APT28 and Strontium.

In the ruling, the US District Court for the Eastern District of Virginia permanently enjoined Fancy Bears from sending malicious software or code to infect Microsoft or Microsoft’s customers without authorization.

The court also enjoined the hackers from intentionally attacking Microsoft computers or its customers’ computers, stealing information from Microsoft or its customers, and “configuring, deploying, operating or otherwise participating in or facilitating a command and control infrastructure.”

Under the order, Microsoft was granted the ability to take over “command and control” domains the hackers used to manipulate malware installed on victim computers. Through the lawsuit, Microsoft has been able to take over at least 70 different command and control points from the hacking group since August, according to the Daily Beast.

Instead of taking control of physical servers, Microsoft has been taking control of the internet domain names that route to servers Fancy Bears rent from data centers. Microsoft has taken over domain names such as microsoftinfo365.com and livemicrosoft.net, which the company can use to observe the hacker’s activity and stop them from controlling infected computers.

The court also enjoined Fancy Bears from using Microsoft trademarks, including all “symbols, words, designs or statements” that would “result in deception of customers.” Hacking groups use official logos and replicated designs to spoof login pages, in order to trick users into giving up their username and password in phishing campaigns.

Fancy Bears have been accused of hacking the Democratic National Committee (DNC) during the US 2016 presidential election. The group, which was dubbed Fancy Bears by cybersecurity firm CrowdStrike for its never-proven connection to the Russian government, was also allegedly responsible for hacking the World Anti-Doping Agency (WADA) and the International Association of Athletics Federations (IAAF).

"Granting Microsoft possession of these domains will enable Microsoft to channel all communications to those domains to secure servers, thereby cutting off the means by which the Strontium defendants communicate with the infected computers," Jason Norton, a threat intelligence manager at Microsoft, wrote in an August 2016 court filing.

"In other words, any time an infected computer attempts to contact a command and control server through one of the domains, it will instead be connected to a Microsoft-controlled, secure server. While it is not possible to rule out the possibility that the Strontium defendants could use fallback mechanisms to evade the requested relief, redirecting this core subset of Strontium domains will directly disrupt current Strontium infrastructure, mitigating risk and injury to Microsoft and its customers."

According to court documents, Microsoft identified thousands of domains that the hackers might have allegedly used to target their computers and networks.

According to the Daily Beast, Microsoft made several attempts to serve the hackers with legal papers via email, sending them to the accounts that were used to register the command and control domains. While the hackers never responded, a tracking bug planted in the emails showed they were opened at least 30 times.

Since the hackers never showed up in court to defend themselves, the court ruled in favor of Microsoft in a default judgment.