Microsoft Acquires Six Domains It Attributes To Fancy Bear Hacker Group

Microsoft announced last week that it acquired six domain names believed to belong to a group of state hackers known as Fancy Bear, Strontium or APT28. Some domains have names related to political targets.

Microsoft writes that its Digital Crimes Unit has acquired the domain names via a court order. This approach is not new and has been successfully used by Microsoft twelve times in the past two years to take a total of 84 sites of the hacker group offline. In the current case, it concerns domain names that resemble certain names, such as the International Republican Institute, which focuses on the development of democracy, and the Hudson Institute, a think tank. Some other domains refer to the US Senate.

Microsoft says the domains are indicative of a broadened target audience for Fancy Bear, but it has no evidence that they were actually used for a successful attack. For example, an attack could consist of forwarding targets to the domains for phishing, or using the domains for targeted phishing emails. Microsoft itself does not explicitly mention these possibilities. The company has been in contact with the International Republican Institute and the Hudson Institute to take next steps.

Microsoft writes: “Despite the steps we took last week, we are concerned about continued activity targeting elected officials, politicians, political groups and think tanks across the political spectrum in the US. Taken together, the current pattern is similar to what we saw for the 2016 US election and the 2017 French election.” The US is currently preparing for the so-called Midterm Elections, which will take place in November. This includes the seats in the House of Representatives and part of the Senate.

By referring to the French elections, Microsoft is probably referring to the phishing attacks on the Macron campaign, which were also attributed to Fancy Bear. That is the same group that was also blamed for the hack on the Democratic party in 2016. For those hacks, US special counsel Robert Mueller recently indicted 13 Russians, who are alleged to be employed by the Russian military intelligence service GRU.

Along with the current announcement, Microsoft is announcing the official launch of the so-called AccountGuard initiative. That is an extension of its previously announced Defending Democracy program, with which it wants to protect political parties against internet attacks and combat disinformation campaigns, among other things. AccountGuard is intended for all eligible individuals in local, federal and state elections, as well as the campaigns of members of Congress and support companies and organizations. They must already have Office 365.

AccountGuard provides threat detection for email systems and accounts, which should be used to detect attacks. In addition, participating organizations will receive security education and access to previews of security features that Microsoft believes are normally reserved for large enterprise customers and governments.