This week, Microsoft won a court case against APT28 - better known as hacking group “Fancy Bear” alleged to have been behind the DNC hacks of 2016. Microsoft appears to have filed the suit late last year. However, this behavior seems erratic to casual onlookers. Surely, hacker will not show up in court to protect themselves and won’t hold themselves to a court decision. 

Still, Microsoft’s actions are rational and effective. In this briefing, we will have a look at why.

Domains

The first element of Microsoft’s strategy is to win ownership of domain names. APT28 has used several domain names mimicking those used by Microsoft in phishing attacks and to control other parts of their operations. Many of these domains used words trademarked by Microsoft (this appears to have been the basis for the suit).

By suing and winning, Microsoft is now able to take ownership of the domains, thus preventing their abuse in future attacks. In cases where these domains are used in ongoing attacks, it will likely shut them down.

This works to Microsoft’s advantage in two ways: For one, it keeps their customers safe from similar attacks. For another, it prevents image damage to Microsoft if victims should fail to realize that the domains used by APT28 are not actually associated with Microsoft.

Action Speed

The second element of Microsoft’s strategy focusses on action speed. Traditionally, they would need to handle every single malicious domain individually and either try to get it blacklisted or re-assigned to them. The verdict in this case establishes both precedent and prohibits APT28 from buying any further Microsoft related domain names.

While the group is very likely to do so, the standing prohibition means that Microsoft won’t need to go to court over each new domain. Rather, they can directly contact authorities to have domains reassigned.

The mechanism is similar to government forms asking travelers to various countries “are you affiliated with any terrorist networks?” on visa applications. No-one is expected to answer yes. But should a connection be discovered later on, proving a crime might be difficult and time consuming. Proving that the applicant lied on the form however is instant and thus greatly speeds up the process.

Ease of Winning

The final element of Microsoft’s strategy is that it is virtually guaranteed to succeed. Since the USA allow filing civil suits against anonymous defendants and awards victory to the accusing party if the defending party fails to appear in court, Microsoft had nothing to lose. Due to criminal investigations pending against APT28 and the anonymity vital to their operations, it is impossible for them to appear in court. Thus Microsoft only needed to file the suit and wait for it to be processed.

Summary

Legal tools are not often useful for fighting malicious hackers. However, as this case shows, they can sometimes play an important assisting role. While proper organization and policy are paramount to information security offers, legal proceedings should not be discounted.