Microsoft said it has taken down 99 websites belonging to an Iranian state-linked hacking group it calls “Phosphorus,” aka APT35, Charming Kitten, and Ajax Security Team.
According to court documents unsealed this week, Microsoft received a court order allowing them to take control of websites the hacking group had used to execute phishing attacks with fake Microsoft security warnings.
In a blog post on the takedown, Microsoft’s Tom Burt, corporate vice president, customer security & trust, wrote that the company had worked with other companies, including Yahoo and a number of domain registrars to build the case that was taken before the judge to obtain the injunction.
Microsoft had been tracking Phosphorus since 2013 and had seen the group launch attacks around the world, though its more recent activity seemed to target businesses, government agencies, and “those involved in advocacy and reporting on issues related to the Middle East.”
The Iranian hacking group last December was spotted by researchers at Cerfta attempting to hack email accounts of US Treasury members, defenders, detractors, Arab atomic scientists, Iranian civil society figures, DC think-tank employees, and enforcers of the US-Iran nuclear deal.
Phil Reitinger, president and CEO of the Global Cyber Alliance, says Microsoft’s use of legal power to disrupt the group is a best-case scenario. “Using what amounts to civil judicial remedies where you can get the evidence to back it up strikes me as a best practice for disrupting a group that’s harming you. Can mistakes be made? Sure, but for the sophisticated players that can support this, it is the most certain and defensible way to proceed,” he says.
Monique Becenti, channel and product specialist at SiteLock, says Phosphorus’ operation presents a cautionary tale for other businesses. “This is the second time Microsoft has had a run-in with nation-state cybercriminals and it goes to show that even one of the biggest and most sophisticated technology companies in the world can’t prevent these types of attacks,” she says.
That opinion was echoed by Terence Jackson, CISO at Thycotic. “Bad actors often know websites are often the weakest link and have infiltrated this time and time again.”
Microsoft, meanwhile, has dealt with this type of site impersonation in the past. In his blog post, Burt wrote, “We have used this approach 15 times to take control of 91 fake websites associated with Strontium.”
Ultimately, Reitinger hopes that other organizations will see this action as effective and use it as a model, rather than relying on other, extra-legal tactics.
“I think it’s worth highlighting the difference between this and the kind of activity referred to as ‘hack-back.’ I’m not in favor of hack back because it’s people taking the law into their own hands,” he says. “Using civil remedies – such as a temporary restraining order to take control of malicious sites – is a powerful tool that can be used to prevent or mitigate cyberattacks.”
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio