Microsoft sues to take control of domains involved in Iran hacking campaign

Microsoft has won a restraining order in a U.S. court in order to take control of domains used by an Iranian hacker group.

The software and cloud giant applied to the court in order to take control of 99 websites used by the hacker group, known as Phosphorus or APT 35, in various hacking operations. The court granted the motion earlier this month but it was unsealed this week, said Microsoft’s consumer security chief Tom Burt in a blog post.

The granted order allowed Microsoft to take control of the domains from the registrars and host the domains on Microsoft’s own servers, including “outlook-verify.net” and “yahoo-verify.net,” and redirect malicious traffic safely into a Microsoft-controlled sinkhole.

“Throughout the course of tracking Phosphorus, we’ve worked closely with a number of other technology companies, including Yahoo, to share threat information and jointly stop attacks,” said Burt. (TechCrunch and Yahoo are both owned by Verizon Media.)

The hacker group is believed to be linked to former U.S. Air Force counter-intelligence officer Monica Witt, who defected to Tehran in 2013 and is now wanted by the FBI for alleged espionage. The hackers have targeted academics and journalists with spearphishing campaigns designed to look like Yahoo and Google login pages but can defeat two-factor authentication.

It’s the latest legal action Microsoft has taken against a hacker group. Last year, the company filed a suit against Strontium, known as APT 28 or “Fancy Bear” — associated with the Russian state intelligence agency GRU. It was one of a dozen actions over two years to take down fake websites used to trick targets into turning over their usernames and passwords.