In what is one of Microsoft’s biggest public displays of might, the tech firm announced last week the seizure of six domains believed to belong to Russian hacking outfit Fancy Bear.
For those not familiar with the group, Fancy Bear, which also goes by APT28, was strongly linked to a myriad of phishing campaigns during the 2016 United States presidential elections.
These public takedowns come amid preparations for the congressional elections, which are set to take place in November.
Led by its in-house crime department, the Digital Crime Unit, Microsoft revealed that it has now taken down a total of six phishing domains that were targeting the upcoming midterms.
Simple but Effective
Microsoft’s DCU took down the six phishing sites suspected to be the handiwork of Fancy Bear using a technique known as sinkholing.
As the term suggests, sinkholing is a method that diverts all of a website’s incoming traffic into a sinkhole—or in this case, a server that is not the intended destination of the traffic.
Before they could do this, however, they needed to get legal permission.
In 2016, the tech firm launched a lawsuit against Fancy Bear, which they won. This not only gave them the permission to bring down Fancy Bear’s numerous phishing sites, but it also laid the perfect foundation for their future cybersecurity endeavors.
Now, Microsoft is in a unique position to acquire the court approvals needed to take down any number of malicious sites they encounter.
In a statement to the media, David Kennedy, CEO of Binary Defense Systems, lauded the efficiency of the sinkholing technique, which is commonly used in the cybersecurity industry to bring down malicious sites.
Though no specifics about the takedowns were shared, experts believe that Microsoft used a common sinkholing method: routing network traffic by altering the DNS of the domain in question to match that of a server of their choosing.
It would have been possible to take down all these sites at once, but it is also possible that the Digital Crimes Unit used stealth as a cover to conduct some reconnaissance before finally taking them down.
Republican Groups Targeted
Russian political hacking has certainly been on the agenda since the last U.S. presidential election cycle, though now it seems to be shifting gears.
Previously, these phishing sites mostly took advantage of unsuspecting Democrats, but now a shift to Republican targets—particularly those who oppose President Donald Trump’s relationship with Russian President Vladimir Putin—was evident.
The phishing sites imitated Senate pages, think tanks and a number of Republican groups.
Phishing sites sometimes look identical to the sites they impersonate, and this is where the problem lies.
A phishing attack targets people who unsuspectingly log onto these fake websites and in the process, give away their login credentials to hackers.
It tends to be quite an effective method of attack when it is designed to target low-level employees in a huge organization.
Microsoft’s Digital Crimes Unit had its work cut out for it. Though it wasn’t easy, Microsoft was able to detect many of these Fancy Bear sites by looking for telltale signs in their user data.
Empowered by their visibility into billions of users’ activities, they were able to track the activities of the hacking group across the web—gathering evidence before making the decision to shut them down.
Why Microsoft Rules the World of Cybersecurity
Thus far, Microsoft has used a similar approach 12 different times, and it has resulted in the seizure of 84 malicious domains.
Though they aren’t the only mainstream tech firm that’s actively involved in stopping malicious attempts on their clients, they are certainly more vocal about it than their counterparts at Google, who only go as far as warning their Gmail clients of potential phishing attacks.
Former National Security Agency analyst Jake Williams is familiar with Microsoft’s history of successful domain takedowns using this particular technique.
In a statement to the media, he attributed their high success rate to the fact that the DCU has been in operation for years.
Williams, who is also the founder of Rendition InfoSec, conceded that the tech giants are no strangers to threat research, and that might explain their proficiency in distinguishing threats online from legitimate websites.
Williams’ sentiments are echoed by Dave Aitel, another former employee of the NSA who is now working at the security infrastructure firm Cyxtera, though Aitel believes that Microsoft is ushering in a new era where private companies publicly attribute malicious attacks to entire nation-states.
As Binary System’s Kennedy noted, sinkholing may be effective, but it is by no means a definitive measure to curb these attacks.
Having Russia as its most powerful and most active adversary puts Microsoft in a spot few envies. Without a doubt, they will need to pull out the big guns to keep the Russian hacking outfit from striking again.