Microsoft Takes Control of 99 Websites From APT Group

Published 29 - March - 2019
Source: Gov Info Security
Read full article

Microsoft is using its legal muscle to push back against an advanced persistent threat group that is says is “widely associated with Iranian hackers.” Following court approval, it is taking control of 99 website domains allegedly used by the attackers as part of an ongoing spear-phishing campaign.

A court filing unsealed Wednesday reveals the details of Microsoft’s request to take control of these websites, which were being used by an APT group dubbed Phosphorus. A U.S. District Court in Washington, D.C., recently granted the request.

The APT group also is known by several other names, including APT35, Charming Kitten and Ajax Security Team. The group has targeted journalists and activists throughout the Middle East since at least 2013, according to Microsoft.

In most cases, the APT group attempts to gain access to government and business networks through various spear-phishing campaigns, using social engineering techniques as well as fake social media accounts that appear friendly to the victims, Microsoft reports.

These campaigns usually use a malicious link to infect the victim’s PC. “Phosphorus also uses a technique whereby it sends people an email that makes it seem as if there’s a security risk to their accounts, prompting them to enter their credentials into a web form that enables the group to capture their passwords and gain access to their systems,” according to a Microsoft blog post.

Legal Action

Over the last two years, Microsoft has turned to the courts in an attempt to stop APT groups and other attackers from using the company’s brands and products as part of their schemes. This has helped slow down some of their activities.

For instance, in 2017, Microsoft used some of the same arguments about its brands and products to take action against a Russia-backed group that the company calls Strontium but that also goes by other names such as APT28, Fancy Bear, Pawn Storm, Sednit, Sofacy and the Tsar Team.

The Russia-backed group has been linked to numerous attacks, including the one against the U.S. Presidential Election in 2016 that, in part, triggered the investigation by Special Counsel Robert Mueller, who submitted his report to the Attorney General on March 22.

These types of legal manoeuvrings by Microsoft and other companies are becoming much more common in the ongoing tussle between nation-states, tech firms and victims, Steve Durbin, the managing director of the Information Security Forum, a London-based cybersecurity and risk management firm, tells Information Security Media Group.

“You see this type of legal action coming about for two reasons,” Durbin says. “The first is that regulators and legislators are getting better about putting new regulations and new legislation in place – and if it’s there, people will use it. The second point is that you have to have some level of recourse. … It’s all very well to threaten, but you really have to go out and do something about it, if it’s of significant value to you. So I think we’re going to see more of it, especially around IP theft, because that has immense value. … You will see courts much busier.”