Home Articles How Microsoft Retaliated Against APT35 Hacker Group

How Microsoft Retaliated Against APT35 Hacker Group


Recently, Microsoft seized several domains to stop the APT35 threat group. Read on to know more about it…

Recently, Microsoft seized several domains to stop the APT35 threat group. Over 99 domains were seized by Microsoft’s Digital Crimes Unit (DCU) to halt cyberattacks by the APT35 threat group. APT35 primarily used spearphishing for its operations. Microsoft made use of a court order issued against the group to seize these domains.

APT35 which is known by various other names such as Charming Kitten and Phosphorus, is an Iran-based threat group which operates mainly in the Middle East region. The group targets large businesses as well as governmental organizations. On top of this, it has been observed that APT35 was also zeroing in on persons reporting on social issues in the Middle East.

Court Order
Microsoft has used a court order to wrest control of 99 websites from suspected Iranian hackers that were using them to conduct cyberattacks. Microsoft last week took down websites that were “core to [the] operations” of an Iranian hacking group known as APT35 or Phosphorus, Tom Burt, a Microsoft vice president, wrote in a blog post.

APT35, also known as Charming Kitten, used spoofed websites of well-known companies, including Microsoft and Yahoo, to conduct their malicious activity, he said. But the court order will force the group to recreate some of that infrastructure.

The hackers have sought to steal sensitive information from businesses and government agencies, Burt wrote, though he did not specify the targets by name. APT35 also has a penchant for targeting journalists and activists who focus on Iran. Multiple years of tracking the group allowed Microsoft to build a “decisive legal case” against the hackers which was heard in the U.S. District Court for Washington D.C, he added.

Court orders are an important part of Microsoft’s fight against alleged nation-state-backed groups that use the companies’ technology for cyber operations. Last August, Microsoft announced the takedown of six internet domains set up by Russian-government-linked Fancy Bear or APT 28.

The Operation
During the tracking operation, Microsoft says that it also “worked closely with a number of other technology companies, including Yahoo, to share threat information and jointly stop attacks.”

Microsoft’s Tom Burt, Corporate Vice President, Customer Security & Trust, said that “While we’ve used daily security analytics tracking to stop individual Phosphorus attacks and notify impacted customers, the action we executed last week enabled us to take control of websites that are core to its operations. Our work to track Phosphorus over multiple years and observe its activity enabled us to build a decisive legal case and execute last week’s action with confidence we could have a significant impact on the group’s infrastructure.”

News of the Microsoft action against APT35 came the same day as researchers from Symantec published research on another Iranian hacking group, APT33, that has used its skills to spy on a plethora of organizations in Saudi Arabia and the U.S. Microsoft’s Digital Crimes Unit executed this operation yesterday. According to Tom Burt, Corporate VP – Customer Security & Trust at Microsoft. Burt mentioned that traffic from devices affected by these domains was diverted using sinkholing to zero in on the malicious domains.

“The action we executed last week enabled us to take control of 99 websites and redirect traffic from infected devices to our Digital Crime Unit’s sinkhole. The intelligence we collect from this sinkhole will be added to MSTIC’s existing knowledge of Phosphorus and shared with Microsoft security products and services to improve detections and protections for our customers,” Burt wrote in a blog.

The extensive monitoring of the group has helped Microsoft to successfully retaliate against it on a wide scale.


Please enter your comment!
Please enter your name here

19 + = 25