Microsoft uses court order to shut down APT35 websites

Microsoft has used a court order to wrest control of 99 websites from suspected Iranian hackers that were using them to conduct cyberattacks, court documents unsealed Wednesday show.

The tech giant last week took down websites that were “core to [the] operations” of an Iranian hacking group known as APT35 or Phosphorus, Tom Burt, a Microsoft vice president, wrote in a blog post.

APT35, also known as Charming Kitten, used spoofed websites of well-known companies, including Microsoft and Yahoo, to conduct their malicious activity, he said. But the court order will force the group to recreate some of that infrastructure.

The hackers have sought to steal sensitive information from businesses and government agencies, Burt wrote, though he did not specify the targets by name. APT35 also has a penchant for targeting journalists and activists who focus on Iran. Multiple years of tracking the group allowed Microsoft to build a “decisive legal case” against the hackers which was heard in the U.S. District Court for Washington D.C, he added.

The intelligence gathered from the “sinkholing” of the malicious sites will be added to Microsoft’s case file on the group and used to strengthen the company’s security tools, Burt wrote.

Court orders are an important part of tech companies’ fight against alleged nation-state-backed groups that use the companies’ technology for cyber operations. Last August, Microsoft announced the takedown of six internet domains set up by Russian-government-linked Fancy Bear or APT 28.

News of the Microsoft action against APT35 came the same day as researchers from Symantec published research on another Iranian hacking group, APT33, that has used its skills to spy on a plethora of organizations in Saudi Arabia and the U.S.