Microsoft obtained clearance to take action against APT35 (aka Phosphorus, Charming Kitten, Ajax Security Team) by the US District Court for Washington, DC after the company took legal action against the group. APT35 has been identified by the Microsoft Digital Crimes Unit and the Microsoft Threat Intelligence Center as a threat actor since 2013 when the company began tracking the group.
"Our court case against Phosphorus, filed in the US District Court for Washington DC, resulted in a court order enabling us last week to take control of 99 websites the group uses to conduct its hacking operations so the sites can no longer be used to execute attacks," Microsoft said in a statement.
After taking control of the 99 websites, Microsoft redirected the traffic from the devices already infected to the Digital Crime Unit’s sinkhole where the data will be studied to better improve upcoming security products.
APT35 is known for its spear phishing attacks and creating fake social media accounts to tempt a target into clicking a specific link that will lead to malware being injected into the target’s system. In the email scenario the malicious actors pretend to be from a well-known brand name, like Microsoft and Yahoo – which also helped with the case, saying there is a security risk with their account then asking for their login credentials.
"While we’ve used daily security analytics tracking to stop individual Phosphorus attacks and notify impacted customers, the action we executed last week enabled us to take control of websites that are core to its operations. Our work to track Phosphorus over multiple years and observe its activity enabled us to build a decisive legal case and execute last week’s action with confidence we could have significant impact on the group’s infrastructure," the company said.
Some of APT35’s recent activity includes being behind a phishing campaign against American officials charged with enforcing economic sanctions against Iran imposed on Iran by President Trump.
The research firm Certfa in December 2018 discovered an open server listing Gmail and Yahoo email addresses that the hackers had accessed. the Iranian hacking group targeted private emails a handful of USTreasury Department officials as well as others opposed to and supportive of the Iran nuclear deal forged during the Obama administration.
This is the fifteenth time Microsoft has used this approach to gain permission to grab criminal websites.
"The size of Microsoft’s legal action in taking control of these domains is much larger than the company has taken in previous years against similar incidents. Cooperation among private sector corporate leaders like Microsoft and allied federal governments is important in cyber-security. This is a positive step in demonstrating a strong and united front against nation state cyber-threats," said Ryan Weaver, security researcher, DomainTools.