Intentionally or not, Microsoft has emerged as a kind of internet cop, thanks to its efforts to thwart Russian hackers.
The company’s announcement Tuesday that it disrupted fake internet domains mimicking conservative U.S. political institutions sparked confusion and alarm on Capitol Hill and led Russian officials to accuse the company of participating in an anti-Russian “witch hunt.”
Microsoft stands virtually alone among tech companies with its aggressive approach, which uses U.S. courts to fight computer fraud and seize hacked websites back from malicious perpetrators. In the process, it takes on a role that might look more like the job of government than a corporation.
In the case this week, the company did not just accidentally stumble onto a couple of harmless spoof websites. The discovery was part of an ongoing legal fight against Russian hackers that began in the summer before the 2016 presidential election and was part of a broader, decade-long battle to protect its brand from cybercrime.
“What we’re seeing in the last couple of months appears to be an uptick in activity,” Brad Smith, Microsoft’s president and chief legal officer, said in an interview this week. Microsoft says it caught these particular sites early and that there’s no evidence they were used in hacking attacks.
The Redmond, Washington, company sued the hacking group it calls Strontium in August 2016, arguing that it was breaking into Microsoft accounts and computer networks and stealing highly sensitive information from customers. The group, Microsoft said, would send “spear-phishing” emails linking to realistic-looking fake websites in hopes that targeted victims — including political and military figures — would click.
In addition to computer fraud, the company makes arguments based on trademark and copyright infringement.
One email introduced as court evidence in 2016 showed a photo of a mushroom cloud and a link to an article about how Russia-U.S. tensions could trigger World War III. Clicking on the link might expose a user’s computer to infection, hidden spyware or data theft.
Others call the group Fancy Bear or APT28. An indictment from U.S. special counsel Robert Mueller has tied it to Russian’s main intelligence agency, known as the GRU, and to the 2016 email hacking of both the Democratic National Committee and Democrat Hillary Clinton’s presidential campaign.
Maurice Turner, a senior technologist at the industry-backed Center for Democracy and Technology, said Microsoft is wholly justified in its approach to identifying and publicizing online dangers.
“Microsoft is really setting the standards with how public and how detailed they are with reporting out their actions,” Turner said.
Companies including Microsoft, Google and Amazon are uniquely positioned to do this because their infrastructure and customers are affected. Turner said they “are defending their own hardware and their own software and to some extent defending their own customers.”
Turner said he has not seen anyone in the industry as “out in front and open about” these issues as Microsoft.
Microsoft’s Windows operating system had long been a prime target for viruses when in 2008 the company formed its Digital Crimes Unit, an international team of attorneys, investigators and data scientists. The unit became known earlier in its decade for taking down botnets, collections of compromised computers used as tools for financial crimes.
Richard Boscovich, a former federal prosecutor and a senior attorney in Microsoft’s digital crimes unit, testified to the Senate in 2014 about how Microsoft used civil litigation as a tactic. Boscovich is also involved in the fight against Strontium, according to court filings.
To attack botnets, Microsoft would take its fight to courts, suing on the basis of the federal Computer Fraud and Abuse Act and other laws and asking judges for permission to sever the networks’ command-and-control structures.
“Once the court grants permission and Microsoft severs the connection between a cybercriminal and an infected computer, traffic generated by infected computers is either disabled or routed to domains controlled by Microsoft,” Boscovich said in 2014.
He said the process of taking over the accounts, known as “sinkholing,” enabled Microsoft to collect valuable evidence and intelligence used to assist victims.
Smith said this week the company is still investigating how the six newly discovered domains might have been used.