Microsoft Takes Control of 99 Websites From APT GroupPhosphorus Group Waged Spear-Phishing Campaign, Company Reports
Microsoft is using its legal muscle to push back against an advanced persistent threat group that is says is "widely associated with Iranian hackers." Following court approval, it is taking control of 99 website domains allegedly used by the attackers as part of an ongoing spear-phishing campaign.
See Also: Automating Security Operations
A court filing unsealed Wednesday reveals the details of Microsoft's request to take control of these websites, which were being used by an APT group dubbed Phosphorus. A U.S. District Court in Washington, D.C., recently granted the request.
The APT group also is known by several other names, including APT35, Charming Kitten and Ajax Security Team. The group has targeted journalists and activists throughout the Middle East since at least 2013, according to Microsoft.
In most cases, the APT group attempts to gain access to government and business networks through various spear-phishing campaigns, using social engineering techniques as well as fake social media accounts that appear friendly to the victims, Microsoft reports.
These campaigns usually use a malicious link to infect the victim's PC. "Phosphorus also uses a technique whereby it sends people an email that makes it seem as if there's a security risk to their accounts, prompting them to enter their credentials into a web form that enables the group to capture their passwords and gain access to their systems," according to a Microsoft blog post.
Use of Brand Names
One reason that the Microsoft's Digital Crimes Unit and the Microsoft Threat Intelligence Center asked the court to allow the company to take back domains is that many of the websites used in these attacks had realistic-sounding brand names such as outlook-verify.net, yahoo-verify.net, verification-live.com, and myaccount-services.net.
The group also used trademarked logos from Microsoft, including "Windows Live" and "LinkedIn," according to the court documents.
The company argued that because the APT group was harming its brand, Microsoft should be allowed to take legal action against the group and seize domains that hurt its reputation.
"Customers expect Microsoft to provide safe and trustworthy products and services," the company said in court papers. "There is a great risk that Microsoft's customers, both individuals and he enterprises for which they work, may incorrectly attribute these problems to Microsoft products and services, thereby diluting and tarnishing the value of these trademarks and brands."
In the court documents, Microsoft provided several examples of these malicious fakes, including fake log-in pages for Outlook.
Over the last two years, Microsoft has turned to the courts in an attempt to stop APT groups and other attackers from using the company's brands and products as part of their schemes. This has helped slow down some of their activities.
For instance, in 2017, Microsoft used some of the same arguments about its brands and products to take action against a Russia-backed group that the company calls Strontium but that also goes by other names such as APT28, Fancy Bear, Pawn Storm, Sednit, Sofacy and the Tsar Team.
The Russia-backed group has been linked to numerous attacks, including the one against the U.S. Presidential Election in 2016 that, in part, triggered the investigation by Special Counsel Robert Mueller, who submitted his report to the Attorney General on March 22.
These types of legal maneuverings by Microsoft and other companies are becoming much more common in the ongoing tussle between nation-states, tech firms and victims, Steve Durbin, the managing director of the Information Security Forum, a London-based cybersecurity and risk management firm, tells Information Security Media Group.
"You see this type of legal action coming about for two reasons," Durbin says. "The first is that regulators and legislators are getting better about putting new regulations and new legislation in place - and if it's there, people will use it. The second point is that you have to have some level of recourse. ... It's all very well to threaten, but you really have to go out and do something about it, if it's of significant value to you. So I think we're going to see more of it, especially around IP theft, because that has immense value. ... You will see courts much busier."
It took Microsoft years to study the Phosphorus group and to finally gather enough evidence to go to a federal court to seize control of the 99 domains, the company said. Now, Microsoft's Digital Crime Unit will redirect traffic from these sites into a specialized sinkhole, where analysts will continue to analyze the data.
Whether Microsoft or anyone else knows exactly who is behind this particular APT group is not clear. Microsoft, in its court papers, only refers to "John Does 1 and 2" as having control over the network that conducted the spear-phishing attacks.
In a report released in August 2018, FireEye makes passing reference to the group, which it refers to as APT35 or Newscaster, noting that it has "used inauthentic news sites and social media accounts to facilitate espionage."