The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Microsoft's takedown of Iranian fake sites shows 'creative lawyering,' experts say


As foreign government-backed hackers increase their attacks against the private sector, companies are increasingly taking matters into their own hands and coming up with creative ways to shut them down. 

Microsoft used a novel legal strategy to get a court order to shut down 99 malicious websites that appeared to be sponsored by the Washington state tech giant but were actually phony — a ploy by an Iranian government-linked hacking group to steal information from Microsoft customers. 

“The sites were used in a years-long ‘spear-phishing’ campaign that targeted corporations and government agencies, as well as activists and journalists, particularly those involved in advocating and reporting on issues related to the Middle East,” my colleagues Ellen Nakashima and Spencer S. Hsu reported.

The group — which Microsoft calls “Phosphorus” but other cybersecurity companies have dubbed “APT 35,” “Ajax Security Team” and “Charming Kitten” — sent those people emails and social media posts directing them to the phony sites where they might load malicious software on their computers.  Microsoft hasn't linked the group to Iran,  but other cybersecurity firms have, including the companies ClearSky Cyber Security and iSight Partners, which was later acquired by FireEye. 

Instead of just reporting the issue to the FBI and waiting for the government's help, Microsoft got the legal go-ahead to take action by citing violations of laws that were written long before the modern Internet. 

In this case, Microsoft argued Phosphorus was violating the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act — both laws from the 1980s. The company also claimed Phosphorus was violating its trademarks because it was using Microsoft product names on its phony websites.

That's the sort of “creative lawyering” companies must rely on if they want to move beyond simply playing defense, Marcus Christian, a former federal prosecutor who focused on computer crimes, told me.

Microsoft then worked with domain hosts to shut down the fake sites and redirect their Web traffic to part of Microsoft’s own network. That way the company can not only protect its customers, but also gather data that will help it combat future attacks from the hacking group.

“These companies and their legal teams have to find ways to be creative and to adapt the existing laws to the electronic age we live in,” Joseph Campbell, a former assistant director of the FBI’s Criminal Investigative Division, told me.

Given the pace at which hackers are adapting their techniques, “those challenges are only going to continue to grow,” said Campbell, who now directs Navigant Consulting’s risk and compliance division.

It’s not clear how often companies are employing similar legal strategies to shut down hacking groups’ infrastructure because many cases are either under legal seal or not publicized by the companies, said Christian, an attorney with the Mayer Brown law firm.

The practice has certainly increased in recent years, Christian said, but it’s probably limited to large companies such as Microsoft — which have substantial legal resources, cybersecurity know-how and a deep financial investment in making the Internet a safer place.

In this case, Microsoft had been tracking the Phosphorus group since as far back as 2013, Tom Burt, the company’s corporate vice president for customer security and trust, said in a blog post.

“Our work to track Phosphorus over multiple years and observe its activity enabled us to build a decisive legal case and execute last week’s action with confidence we could have significant impact on the group’s infrastructure,” Burt said.  

A Microsoft representative declined to say whether the company had cooperated with law enforcement on the Phosphorus operation or whether it was sharing what it learned about Phosphorus with the government.

Microsoft pioneered similar tactics by shutting down zombie computer armies known as botnets in 2010. It was also responsible for the previous case with the highest profile — shuttering sites owned by the Russian hacking group it calls "Strontium' last year. That group, which  other companies call "APT 28" and "Fancy Bear," was also responsible for hacking Democratic emails during the 2016 presidential election. 

Since August, Microsoft has used the strategy 15 times to shut down 91 fake Strontium websites, Burt said.


PINGED: Britain’s spy agency can provide only “limited assurance” that the nation can manage the long-term security risks posed by Huawei equipment being deployed in its wireless networks, according to a report out this morning.

The report comes as British officials are mulling whether to allow the Chinese telecom giant to play a role in developing the nation’s next-generation 5G networks, given concerns it could spy for the Chinese government. The U.S. has been lobbying allies to bar Huawei from 5G, but many European nations are less concerned.

“This is the second consecutive year the Government Communications Headquarters, or GCHQ — the British spy agency equivalent to the U.S. National Security Agency — has identified serious problems. This year, officials said they have found ‘further significant technical issues’ in the firm’s engineering processes, as well as continued ‘concerning issues’ in Huawei software, ‘leading to new risks’ in Britain’s 4G telecom networks,” my colleague Ellen reported.

“GCHQ officials also seemed to offer Huawei some wiggle room,” however, “concluding that ‘Huawei’s transformation plan’ to fix its problems ‘could in principle be successful,’ and cited Huawei’s estimate of three to five years,” Ellen reported.

Huawei has denied spying for the Chinese.

PATCHED: Top Democrats on four key Senate committees are seeking more information about how election equipment makers are securing their technology against hackers.

The letter from Sens. Amy Klobuchar (Minn.), Mark Warner (Va.), Jack Reed (R.I.) and Gary Peters (Mich.) includes 16 questions for chief executives of the nation’s three largest election-systems makers – which collectively supply machines and software for about 92 percent of United States voters.  

Security researchers have criticized those companies — Election Systems & Software, Dominion Voting Systems and Hart InterCivic — for not being transparent enough about their security practices.

The senators want to know whether the executives support measures championed by cybersecurity advocates, such as paper ballots and post-election audits. They also ask how much the companies are investing in security research, whether they have dedicated cybersecurity workers on staff and whether they’re willing to allow independent security researchers to vet their systems.

PWNED: Women make up less than one-fourth of the cybersecurity workforce, “which can lead to less innovation, inferior design, seriously underutilized human potential, and needlessly unfilled jobs in a growing field,” according to a study out today from the New America think tank.

The organization convened a group of experts from across cybersecurity fields to tackle the problem. Their three big ideas:

  • Connect existing efforts to bring more women into the cybersecurity field and boost those efforts’ funding
  • Create more private-sector programs to recruit and retain female cybersecurity professionals
  • Create marketing and media strategies that raise the profiles of successful women in cybersecurity

The report includes a list of several dozen programs aimed at aiding women in the cybersecurity field.


Cybersecurity news from the public sector:

Former NSA Contractor Expected to Plead Guilty This Week for Theft of Top Secret Documents (Wall Street Journal)

Former CIA leaders give ‘briefing book’ to 2020 candidates to counteract ‘fake news’ and ‘foreign election interference’ (Shane Harris)

Exclusive: Fearful of fake news blitz, U.S. Census enlists help of... (Reuters)

Kushner provides documents to House Judiciary in obstruction probe (CNN)

Dark web marketplace Dream Market to close after U.S. police nab suspected vendors - CyberScoop (Cyberscoop)


Cybersecurity news from the private sector:

Facebook says it will now block white-nationalist, white-separatist posts (Tony Romm and Elizabeth Dwoskin)