Court documents unsealed today revealed that Microsoft has been waging a secret battle against a group of Iranian government-sponsored hackers.
The OS maker sued and won a restraining order that allowed it to take control of 99 web domains that had been previously owned and operated by a group of Iranian hackers known in cyber-security circles as APT35, Phosphorus, Charming Kitten, and the Ajax Security Team.
The domains had been used as part of spear-phishing campaigns aimed at users in the US and across the world.
APT35 hackers had registered these domains to incorporate the names of well-known brands, such as Microsoft, Yahoo, and others. The domains were then used to collect login credentials for users the group had tricked into accessing their sites. The tactic is decades old but is still extremely successful at tricking users into unwittingly disclosing usernames and passwords, even today.
Some of the domains Microsoft has confiscated include the likes of outlook-verify.net, yahoo-verify.net, verification-live.com, and myaccount-services.net.
Microsoft said it received substantial support from the domain registrars, which transferred the domains over to Microsoft as soon as the company obtained a court order.
Companies often use court orders to take over domains that infringe on their trademark and copyrights. However, over the past year, Microsoft has been using this legal trickery to fight off hacker groups as well.
Further, this isn't the first time Microsoft has used a court order to take over domains that were previously under the control of government-backed cyber-espionage groups.
Over the 2018 summer, Microsoft also took control over domains operated by APT28, a Russian cyber-espionage group also known as Strontium and Fancy Bear. Microsoft Corporate Vice President of Customer Security & Trust Tom Burt said today in a blog post that they used this trick 15 times to take control of 91 domains operated by APT28, some of which were being used for campaigns aimed at the US 2018 midterm elections.
The practice of using court orders to take over malware domains isn't new, but until recently has only been used by US government agencies when they wanted to take over the command and control servers of malware botnets.
Recent cases include when the FBI used it to take control of the VPNFilter router malware last May, and when the DOJ used it in January this year to take control of Joanap, a botnet built by North Korean state hackers.