Microsoft uses court order to shut down APT35 websites

Court orders are becoming an important tool in tech companies’ fight against nation-state-backed hacking groups.

Microsoft has used a court order to wrest control of 99 websites from suspected Iranian hackers that were using them to conduct cyberattacks, court documents unsealed Wednesday show.

The tech giant last week took down websites that were “core to [the] operations” of an Iranian hacking group known as APT35 or Phosphorus, Tom Burt, a Microsoft vice president, wrote in a blog post.

APT35, also known as Charming Kitten, used spoofed websites of well-known companies, including Microsoft and Yahoo, to conduct their malicious activity, he said. But the court order will force the group to recreate some of that infrastructure.

The hackers have sought to steal sensitive information from businesses and government agencies, Burt wrote, though he did not specify the targets by name. APT35 also has a penchant for targeting journalists and activists who focus on Iran. Multiple years of tracking the group allowed Microsoft to build a “decisive legal case” against the hackers which was heard in the U.S. District Court for Washington D.C, he added.


The intelligence gathered from the “sinkholing” of the malicious sites will be added to Microsoft’s case file on the group and used to strengthen the company’s security tools, Burt wrote.

Court orders are an important part of tech companies’ fight against alleged nation-state-backed groups that use the companies’ technology for cyber operations. Last August, Microsoft announced the takedown of six internet domains set up by Russian-government-linked Fancy Bear or APT 28.

News of the Microsoft action against APT35 came the same day as researchers from Symantec published research on another Iranian hacking group, APT33, that has used its skills to spy on a plethora of organizations in Saudi Arabia and the U.S.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts