Microsoft's No-IP seizure hit Syrian Electronic Army hard

Microsoft's legal action against a dynamic DNS provider could have made life very difficult for a number of online attack groups.
Written by Liam Tung, Contributing Writer on

Microsoft has been accused of being heavy-handed in its domain seizure this week, but it's reportedly disrupted a quarter of major attack groups tracked by one security firm.

On Monday, Microsoft seized 22 domains under the control of No-IP.com, a dynamic DNS service provider. The company is now trying to its restore services following Redmond's action.

A US court granted Microsoft the authority to seize the domains after the company accused No-IP of failing to take action despite knowing that cybercriminals were using its domains to distribute malware. The malware in this case was Bladabindi (NJrat) and Jenxcus (NJw0rm), which together predominantly used No-IP to generate over seven million infections in the past year. The legal action was also aimed at a Kuwaiti national and an Algerian national that Microsoft says are behind the malware.

No-IP claims that it regularly works with companies when it hears of customers conducting malicious activity on its service. It said Microsoft had not contacted it at all before yesterday's seizure, leading to claims by some security experts that Microsoft had been heavy-handed.

Microsoft yesterday also confirmed that due to a technical issue, it accidentally impacted some No-IP customers outside the scope of its action.

However, Microsoft may have made a major dint in some of the most troublesome attack groups on the internet, such as the now-infamous Syrian Electronic Army (SEA), which has hacked eBay, the Washington Post, and Microsoft multiple times, among others.

According to Kaspersky Lab research director Costin Raiu, the takedown impacted a quarter of the "advanced persistent threat" actors it's been tracking. Among them are the SEA, the controversial Italian lawful intercept vendor the Hacking Team, and Flame, a well-known piece of malware discovered in 2012.

SEA is likely to face the most significant difficulties going forward, while others will simply move their botnet command and control (C&C) infrastructure elsewhere.

"For some groups, such as Syrian Electronic Army, the effect is probably very serious, as it affects a large amount of their C&Cs. For others, it will be noticeable, at least annoying if not a problem. In the future, the bad guys will be more careful in using Dynamic DNS providers and will rely more often on other methods of control," Raiu told ZDNet.

Microsoft's botnet takedowns in the past have been criticised in the past for essentially snatching domains that other security researchers had 'sinkholed' and claimed them for itself. In this instance, Raiu said its research was also disrupted.

"Two hosts previously used in APT attacks that we were sinkholing were also taken away from us. We were using the logs from these, together with other data from our sinkhole to notify victims in many different countries," said Raiu.

Read more on security

Editorial standards


How much RAM does your Windows 11 PC need?

How much RAM does your Windows 11 PC need?

What is ChatGPT and why does it matter? Here's what you need to know
chat bot

What is ChatGPT and why does it matter? Here's what you need to know

How to nail the 'Do you have any questions for me?' part of the interview
job interview

How to nail the 'Do you have any questions for me?' part of the interview