How Microsoft is Fighting Back Against Fancy Bear

Media Division | August 7, 2017

There are numerous threats out there lurking among the landscape that we have to continually defend ourselves from with cyber security. There are lone wolf hackers, nation states, and malicious groups that are all looking to steal money and data, compromise systems, or gain intelligence. Every once in a while, a hacker or group creates so much havoc and damage that they create quite a reputation for themselves. They begin to make headlines within their constant barrages upon organizations and institutions. And unfortunately, we do not always quickly discover who these entities are, and they may continue to launch their attacks for years, all the while evading those pursuing them. One of the most prominent groups like this in recent years has been Fancy Bear. This group also has numerous other aliases and coined names, such as APT28, Pawn Storm, Sofacy Group, STRONTIUM, and Sednit.

Fancy Bear has been making waves with the large amount of attacks they have been launching on various institutions around the nation. Some of the most well-known were the 2016 election hacking of the Democratic National Committee and the hacking of French president Emmanuel Macron during his campaign. Investigations of several attacks have seemed to indicate that Fancy Bear is connected to Russian intelligence operations, though Russia has denied all allegations of this.

Retaliating with Other Methods than Cyber Security

So, what does one do to take on an anonymous, insidious, and well-funded nation state group of hackers? While we may not be able to directly locate and pursue them, some entities have decided to take action themselves, with one of these being Microsoft. Microsoft’s strategy? Sue Fancy Bear in United States courts. This method may seem a bit unorthodox, as using an unknown adversary is somewhat akin to shooting into the woods and hoping that one hits a deer. While it may seem like a complete shot in the dark, it actually seems to be having some degree of effectiveness. As of March of this year, Microsoft’s tactics have allowed them to seize 70 Fancy Bear domains, even including the one employed in the 2016 election hacking. And in an even further victory, it also allowed them to identify 122 new victims of the hacking group, these being aside from the ones already known.

It is an interesting approach largely because rather than targeting the servers themselves, they are simply flanking them in a way by taking down associated domains. These types of sites are frequently used for command and control (C&C) or phishing to purloin credentials. While it is not a direct targeting of the root group, it is a large hit at them by preventing many of the attacks that would be attempted with these sites. The legal papers divulge quite a large range of data as to Fancy Bear’s methods, such as helping to identify their sites. For instance, there has been a list compiled of 140 words that are commonly used in the group’s domains.

It appears that Fancy Bear has recognized the targeting, as reports have shown that 30 emails sent to the domains have actually been opened. And perhaps in what seems to be a rebuke at Microsoft, the group has been registering new domains with Microsoft themes. Whether it be due to the inability to trace them or pure neglect, there has not seemed to be much action against the group from the powers that be. And this may have been what led to Microsoft taking things into their own hands, as well as potentially discovering a decently successful way to target groups like this. Outside of cyber security, this may be a method and means for organizations to better defend themselves and retaliate at attackers.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.