To battle alleged Russian hackers, Microsoft has moved to strip them of the command-and-control domains they use to stage their attacks and exfiltrate data.
To do so, however, Microsoft isn't hunting the attackers down. Instead, it's taking them to court.
"There's an old saying that litigation is war by other means," cybersecurity attorney Mark Rasch, who in 1991 created the Computer Crime Unit at the U.S. Department of Justice, tells Information Security Media Group.
Call it death by a thousand domain name seizures.
Here's how it works: Microsoft last year launched a civil action again unnamed hacker "John Does" tied to the "internet-based cyber-theft operation referred to as 'Strontium,'" according to recently unsealed court documents that have been helpfully released online by the technology giant.
Strontium - aka APT28, Fancy Bear, Pawn Storm, Sednit, Sofacy, and the Tsar Team - is the name of a group of cyber-espionage hackers who appear to be tied to the Russian government. The group has been connected to attacks related to the 2016 U.S. presidential election, the recent French elections, other governments, as well as NATO, among many others (see Tainted Leaks: Researchers Unravel Cyber-Espionage Attacks).
To disrupt the attack infrastructure used by the group, Microsoft alleges in court documents that Strontium has created command-and-control domains tied to its attacks, which often involve spear phishing, that are "designed to cause harm to Microsoft, its customers and licensees, and the public." The technology giant is alleging that the attackers have violated a number of statutes, including the Computer Fraud and Abuse Act and the Electronic Communication Privacy Act. In a novel move, it's also alleging trademark violations, and that the attackers have by imitating various Microsoft properties - including Windows, Outlook and OneDrive - in an effort to deceive users.
Microsoft says it's attempted to notify Strontium via a range of email addresses that the group is known to use. And if the hackers want to contest the charges, then they need to show up in U.S. court to contest them. Of course, that's never going to happen. As a result, Microsoft will win the case, by default, and be allowed to seize the domain names in question.
"Suing defendants who will never appear in court and say 'we are the hackers you are looking for' is an elegant way to launch a multi-headed attack on cybercrime," at least for large-scale malware attacks, attorney Chris Pierson, CSO and general counsel for financial technology payment firm Viewpost, tells ISMG. "It can be quite effective at physically removing servers from leased data centers, turning off cloud accounts, taking control of domain names used to launch phishing attacks and taking over command-and-control servers."
First Time: Zeus
This isn't the first time that Microsoft has taken hackers to court, and Pierson says such moves work best as part of a wider strategy. "Microsoft really started this in 2012 with their global takedown of Zeus," Pierson says. "Using the legal vector adds strength to the multi-headed attack Microsoft uses, ensures prior precedence in the court for the legal theories it uses, tackles the issue of service and lack of appearance of a defendant and allows them to give and share these successes with others."
But Microsoft faces a challenge when it comes to seizing botnet domains and infrastructure. "Governments can do it, but not private citizens," Rasch says. "The law tends to disfavor what we call self-help ... so you have to resort to legal process, and the problem is we don't have a legal process designed around botnet armies."
Hence Microsoft, in its attempt to petition the court to disrupt Fancy Bear, has had to cobble together a remedy using various laws, what Rasch calls the legal equivalent of "bubblegum and sealing wax and Scotch tape.".
No Botnet Takedown Law
In an ideal world, however, legal experts say it would be better if there was an actual law designed to deal with botnet takedowns and to balance the various interests of everyone involved.
Crafting such a law, however, would be complex. Rasch says it would have to encompass individuals who launch botnets, others who write code to enable botnets, people whose computers are taken over by the botnet, registrars behind domain names used in the botnet, hosting entities as well as victims who are being harmed and can thus have legal standing to seek remedy from courts.
If such a law was put to use, however, takedowns would have to be handled with great caution. "One of the problems with botnets is that an innocent perpetrator is also a victim of the botnet," Rasch says. "So by shutting down or taking over that PC, you could have very bad results."
With this case, however, arguably it's good just to see someone taking the fight to the hackers, even if just to make their job more difficult. "In the short run, Microsoft will make a dent in traffic associated with this version of Fancy Bear and the tools and services it is using," Pierson says.
In the long term, however, it's a guarantee that no matter how successful Microsoft's legal manuevers prove to be, the hackers likely will be back.