Microsoft foils domain-spoofing campaign orchestrated by Fancy Bear
22 August 2018
Microsoft recently took control over six “domain-spoofing” Internet domains that it said were previously controlled by the infamous Russian hacker group Fancy Bear and mimicked genuine domains belonging to democratic institutions and think-tanks in the U.S. such as the International Republican Institute and the Hudson Institute.
Domain-spoofing: the primary tool of Fancy Bear
This isn’t the first time that Fancy Bear has been found to be in the centre of carefully-planned domain-spoofing campaigns. Earlier this year, researchers at ThreatConnect revealed how the malicious group spoofed domains belonging to the World Anti-Doping Agency (WADA), the US Anti-Doping Agency (USADA), and the Olympic Council of Asia (OCASIA).
According to the researchers, the domain-spoofing campaign carried out by Fancy Bear was likely in retaliation to the ban imposed on Russia from participating in the Winter Olympics hosted by South Korea. It’s no wonder that Putin addressed home-grown hackers as “patriotically minded” and “free-spirited”.
The “patriotic” Russian hacker group was also allegedly behind a cyber attack on the UK’s Anti-Doping Agency which occurred around the same time as the spoofing of WADA’s domains. In 2016, Fancy Bear hacked into WADA’s database and published embarrassing IAAF doping reports about major Western athletes after the Russian athletic team was banned from participating in World Athletics Championships in London.
A much larger campaign to disrupt democracy
According to Microsoft, the six domain-spoofing domains owned by Fancy Bear (also known as Strontium and APT28) are part of a much larger campaign rather than being isolated incidents carried out by lone wolves. While a couple of such domains spoofed domains owned by the International Republican Institute and the Hudson Institute, other fake domains appeared to reference the U.S. Senate but did not spoof particular offices.
“We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group. Attackers want their attacks to look as realistic as possible and they therefore create websites and URLs that look like sites their targeted victims would expect to receive email from or visit. The sites involved in last week’s order fit this description,” the technology giant said in a blog post.
“… there is “good cause” to believe that Strontium is “likely to continue” its conduct. In the face of this continuing activity, we must work on the assumption that these attacks will broaden further. An effective response will require even more work to bring people and expertise together from across governments, political parties, campaigns and the tech sector,” it added.
In order to help political parties, democratic institutions, campaign offices and think -tanks detect domain-spoofing campaigns in the run-up to the mid-term elections that will take place in November, Microsoft has introduced a new initiative called Microsoft AccountGuard which is free of charge and will be available to all organisations that use Office 365.
Basic cyber hygiene is not enough
“It shouldn’t come as a big surprise to anyone that Russians or other nation-states are probing for sensitive information from conservative, liberal, libertarian-leaning organisations. You get the point that if there is valuable information to be gleaned expect groups to be interested in it,” said Sam Curry, Chief Security Officer at Cybereason.
“Simply put, doing the basic hygiene and controls isn’t enough today. Everyone should be on strong authentication and monitoring and the “check marks” should be in place; but the most important ‘check mark’ is a true cyber function with forward-leaning, human intelligence monitoring behavioural telemetry.
“The attackers are human, and in many instances sophisticated. Organisations need teams of people in place to thwart adversarial attempts with the right tools, like EDR tools, that will help the Humans in defence win the cyber conflict. Hygiene alone is not enough,” he added.
“Microsoft’s announcement is generating a lot of attention and the focus is overwhelmingly centered on the 2018 mid-term elections. But it’s important not to lose sight of the bigger issue. The focus on think tanks holding pro-sanction views on Russia’s current regime is about espionage.
“In short: spies are going to spy. That’s true whether or not it’s an election year. There seems to be a rush to conclude that these six domains are part of an “attack” on the elections that risks missing the complete threat model – and therefore the complete countermeasures that should be taken,” said Sean Sullivan, Security Advisor at F-Secure.