The Logic Behind Suing Hackers

Microsoft successfully sued a network of Russian “Fancy Bear” (APT28) hackers, which has been blamed for many cyber attacks, including the DNC hack in 2016. Wait... is Microsoft actually suing hackers?!?

First Published 25th August 2017 |  Latest Refresh 23rd January 2022

The Logic Behind Suing Hackers

Microsoft gets their 'Perry mason moment'.

3 min read  |  Reflare Research Team

Let's litigate!?

Microsoft won a court case against APT28 - better known as the hacking group “Fancy Bear” alleged to have been behind the DNC hacks of 2016. Microsoft appears to have filed the suit through traditional legal channels. However, this behaviour seems erratic to casual onlookers. Surely, hackers will not show up in court to protect themselves and won’t hold themselves to a court decision.

Still, Microsoft’s actions are rational and effective. In this briefing, we will have a look at why.


The first element of Microsoft’s strategy is to win ownership of domain names. APT28 has used several domain names mimicking those used by Microsoft in phishing attacks and to control other parts of their operations. Many of these domains used words trademarked by Microsoft (this appears to have been the basis for the suit).

By suing and winning, Microsoft is now able to take ownership of the domains, thus preventing their abuse in future attacks. In cases where these domains are used in ongoing attacks, it will likely shut them down.

This works to Microsoft’s advantage in two ways: For one, it keeps its customers safe from similar attacks. For another, it prevents image damage to Microsoft if victims should fail to realize that the domains used by APT28 are not actually associated with Microsoft.

Action + Speed

The second element of Microsoft’s strategy focuses on action speed. Traditionally, they would need to handle every single malicious domain individually and either try to get it blacklisted or re-assigned to them. The verdict, in this case, establishes both a precedent and prohibits APT28 from buying any further Microsoft-related domain names.

While the group is very likely to do so, the standing prohibition means that Microsoft won’t need to go to court over each new domain. Rather, they can directly contact authorities to have domains reassigned.

The mechanism is similar to government forms asking travellers to various countries “are you affiliated with any terrorist networks?” on visa applications. No one is expected to answer yes. But should a connection be discovered later on, proving a crime might be difficult and time-consuming. Proving that the applicant lied on the form however is instant and thus greatly speeds up the process.

The ease of winning

The final element of Microsoft’s strategy is that it is virtually guaranteed to succeed. Since the USA allow filing civil suits against anonymous defendants and awards victory to the accusing party if the defending party fails to appear in court, Microsoft had nothing to lose. Due to criminal investigations pending against APT28 and the anonymity vital to their operations, it is impossible for them to appear in court. Thus Microsoft only needed to file the suit and wait for it to be processed.

Taking legal action after you've been hacked doesn't stop you from being hacked

Legal tools are not often useful for fighting malicious hackers. However, as this case shows, they can sometimes play an important assisting role. While proper organization and policy are paramount to information security offers, legal proceedings should not be discounted. However, implementing such litigations after a security breach does very little to prevent such breaches. Proactively improving your cybersecurity capabilities is a worthy endeavour to hopefully never needed to spend the cash on litigating a hacker in the first place. Even if you win your case (yay), the defendant isn't going to cover your costs (boo).

To stay abreast of the latest IT security trends, cybersecurity shenanigans and data breaches, subscribe to our newsletter.

(Yes, biweekly can mean 'every two weeks' and 'twice a week'. No, there's nothing we can do about it. It's English).

Subscribe by email