Microsoft’s secret weapon in ongoing struggle against Fancy Bear? Trademark law

On Friday, representatives of the notorious hacking entity known as Fancy Bear failed to appear in a federal court in Virginia to defend themselves against a civil lawsuit brought by Microsoft.

As the Daily Beast first reported on Friday, Microsoft has been waging a quiet battle in court against the threat group, which is believed to be affiliated with the GRU, Russia's foreign intelligence agency. For now, the company has managed to seize control of 70 domain names, but it's going after many more.

The idea of the lawsuit, which was filed in August 2016, is to use various federal laws—including the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), and American trademark law—as a way to seize command-and-control domain names used by the group, which goes by various monikers, including APT28 and Strontium. Many of the domain names used by Fancy Bear contain Microsoft trademarks, like microsoftinfo365.com and hundreds of others.

In June 2017, Microsoft asked the judge to issue a default judgement in its favor, since the individuals behind Fancy Bear have not made themselves known. According to the Daily Beast, Microsoft and its lawyers have made several attempts to serve the unknown "John Does" via e-mail. According to the Daily Beast, those e-mails have been opened dozens of times and were equipped with a tracking beacon. Microsoft’s lawyers have also conveniently posted all the court documents on a public website, inviting the defendants to contact them via postal mail, e-mail, or even fax.

For years, Microsoft has used similar American intellectual property laws as a way to disrupt various botnets and other malware.

"Granting Microsoft possession of these domains will enable Microsoft to channel all communications to those domains to secure servers, thereby cutting off the means by which the Strontium defendants communicate with the infected computers," Jason Norton, a threat intelligence manager at Microsoft, wrote in an August 2016 court filing.

"In other words, any time an infected computer attempts to contact a command and control server through one of the domains, it will instead be connected to a Microsoft-controlled, secure server. While it is not possible to rule out the possibility that the Strontium defendants could use fallback mechanisms to evade the requested relief, redirecting this core subset of Strontium domains will directly disrupt current Strontium infrastructure, mitigating risk and injury to Microsoft and its customers."

US Magistrate Judge Theresa Buchanan is expected to rule on the motion for default judgement within the coming months.