back to article Microsoft dogs Strontium domains to stop attacks on Ukraine

Microsoft this week seized seven internet domains run by Russia-linked threat group Strontium, which was using the infrastructure to target Ukrainian institutions as well as think tanks in the US and EU, apparently to support Russian's invasion of its neighbor. The seizure is also part of a long-running legal and technical …

  1. JamesTGrant

    Cool, but why are Microsoft doing this?

    I’m wondering what business reason or mandate Microsoft have to do this. Presumably nothing here is related to Microsoft operated infrastructure or Microsoft deployed and owned s/w? Not saying I disagree with what they are doing just wondering what their rationale is. Anyone got any more details?

    1. Doctor Syntax Silver badge

      Re: Cool, but why are Microsoft doing this?

      And why not the authorities in whatever country the servers are located?

      1. Def Silver badge

        Re: Cool, but why are Microsoft doing this?

        Presumably this is part of their effort to protect their customers and users from phishing and more direct attacks. Microsoft have a very large number of users using Outlook, Exchange, Office, Windows, et al. that rely on Microsoft's anti-spam and anti-virus products for their protection.

        Preventing future attacks by neutralising the sources responsible frees up their (Microsoft's) resources to focus elsewhere and with the added benefit of being able to educate people who were naïve enough to fall for phishing attempts in the first place by redirecting them to sites that explain exactly why they shouldn't have clicked that link.

        Also, I don't know about you, but I don't (knowingly) run any software written by my local government.

        What you should really be asking is what are Apple, Google, Amazon, Facebook, Twitter, et al. doing to protect their users?

        1. Anonymous Coward
          Anonymous Coward

          Re: Cool, but why are Microsoft doing this?

          If Microsoft was serious about protecting their customers they could start with making Windows more secure and extract less information from them.

          If they would spend half the money they use for window dressing, marketing and "encouraging" owners to choose Microsoft they would no longer have these problems.

          1. PriorKnowledge
            Alien

            Playing devil's advocate for a moment...

            Windows has basic security features integrated into it which the competition doesn't match:

            * Firewall filtering by application, user, group, IPSec state, source/dest IP/port/protocol at the same time

            * Simple to apply FDE based on combined TPM, Password and Startup Key with emergency escrow

            * Fully administrator-controlled, certificate-based whitelisting/blacklisting of all executable code

            * A built-in AV/HIPS solution which can be configured to block all unknown software (ala. PrevX)

            * Network Intrusion Prevention to identify and block malicious traffic in order to protect legacy software

            * Per-binary digital signatures, allowing for a simple integrity check of the entire system, including DLLs

            * Advanced compile-time and runtime security mitigations which other OSes are yet to implement by default

            * A safe and secure means of enabling backwards compatibility flags for applications up to 25 years old

            * Background updating of trusted root certificates independent of Windows Update to keep PCs working

            A lot of the development for the above relied upon telemetry data collected as early as Windows XP SP2 through CEIP (which was automatically enabled) if people opted to choose Microsoft Recommended Defaults. Backwards compatibility for instance relied upon Microsoft collecting error reports from older software crashing in order to know which shims to develop to best serve the userbase.

            Now let's compare with the competition:

            If you use macOS, you need to install Little Snitch, Santa and Sophos to approximate what Windows has built-in for security. FileVault doesn't allow a startup key but does allow a rough equivalent to TPM+Password in newer Macs. In theory, Apple is heading in a better long-term direction, requiring notarisation of binaries through a CA they control while also putting an end to kexts entirely. But right now they still allow users to override the policy to run non-notarised apps as if they're equal. Until Apple makes notarisation mandatory for an app to be considered signed, it's honestly no better off than Windows with WDAC set to block unsigned binaries and Windows Defender Antivirus set to Zero Tolerance.

            If you use Linux then good luck to you, as the basics are missing in most places (unless you're using RHEL), so you'll need to write a custom SELinux policy and use a tool like opensnitch to get an equivalent result. If you opt for FreeBSD, then you're even more screwed due to a complete lack of mitigations as basic as full ASLR.

            So are we right to say Windows is all bad? Sure it runs a lot of services as SYSTEM, which (when equated to root) Linux and macOS do not. Software patching is also a nightmare on Windows compared to using software repos on RPM/DEB based distros. But at the same time, it has a lot of built-in security tools which are decent which the competition lacks....

            1. Anonymous Coward
              Anonymous Coward

              Re: Playing devil's advocate for a moment...

              And yet, it's implicated in 99% of all ransomware attacks, with the 1% or so reserved for VXware machines which are basically Linux subsystems and can also be breached - I have seen this happen from a Windows infection. To be fair, the victim in this case wasn't exactly good at keeping up with security updates because (if I recall correctly) in a fit of ill judged cost saving they opted for a VMWare license which did not allow live updates and then never allowed the required downtime for patching. Duh. But I digress.

              So, you are in effect stating that the said 99% did not do their diligence in securing Windows as it should? Assuming that all these tools are actually built in, is their evident lack of use because they're hard to use, costly, unstable or simply require far more skills than the average admin has?

              Available skills and simplicity of deployment matter too - SELinux, for instance, is certainly not a tool for the average beginner to mess around with, Fail2Ban is not a default install and too needs some work to set up and iptables too requires some effort to get right - ditto for Mac security where some of it is buried so deep that you only become aware of it when it blocks something, which implies you also have no view of it working or not (less experience with that).

              Last but not least is the effort involved in keeping it safe. The latest Google Chrome/Microsoft Edge alert means again an update which seem to be needed more frequently and with higher data volumes to patch than other platforms. Most platforms come out with a new realease which is followed by a flurry of patches that die down once the release stabilises. Thankfully you can cache this, but it's still a pain, especially since most of these patches require a reboot. I'm hoping that updating browsers won't need it so it can be rolled out quickly - Google would not be keeping its mouth shut about the already-in-the-wild problem if it wasn't serious :(.

              1. Falmari Silver badge
                Devil

                Re: Playing devil's advocate for a moment...

                @AC “So, you are in effect stating that the said 99% did not do their diligence in securing Windows as it should? Assuming that all these tools are actually built in, is their evident lack of use because they're hard to use, costly, unstable or simply require far more skills than the average admin has?”

                99% on its own is not evidence of lack of use. It is not evidence of anything other than what was stated “it's implicated in 99% of all ransomware attacks.”. No conclusions can be draw without further figures.

                Such as and I am assuming implicated means successful attack, what % of all (successful and unsuccessful) ransomware attacks on windows were successful. The % distribution of all attacks by platform.

                But I think that 99% implicated is not that bad when 95% of all ransomware attacks target windows, or so say Google. ;)

                https://www.theregister.com/2021/10/14/googles_virustotal_malware/

              2. Wibble-Wibble

                Re: Playing devil's advocate for a moment...

                If you are going to develop any sort of attack to gain money it makes sense to address the biggest surface area which is Windows. This would explain why most attacks are on that OS rather than any of the others that have much smaller installed bases.

        2. Doctor Syntax Silver badge

          Re: Cool, but why are Microsoft doing this?

          "Also, I don't know about you, but I don't (knowingly) run any software written by my local government."

          I'm not suggesting governments write software*. What I'm suggesting is that if someone is running a malicious server on behalf of one country in the territory of another I'd expect the government of that other country to be the one that puts a stop to it, not Microsoft acting as investigating office, judge, jury and jailer.

          * I don't expect many members of any government to write software. I, on the other hand, have been a Civil Servant, i.e. employed by a government, and as part of that employment, have written software and run it. OTOH I'm most reluctant to run software written by Microsoft.

          1. Def Silver badge

            Re: Cool, but why are Microsoft doing this?

            I think my (early morning, half asleep) point was that because governments don't produce consumer-level software or provide services of that nature to the general public, they generally don't have access to the data required to identify such threats, let alone act on them in the first place.

            If threat prevention were left solely to governments, I think it's safe to assume there wouldn't be any.

      2. John Savard

        Re: Cool, but why are Microsoft doing this?

        Because the servers are located in Russia, and the authorities there are presumably complicit in the cyberattacks on Ukraine, given that they're also in charge of the military attacks on Ukraine.

    2. redpawn

      Re: Cool, but why are Microsoft doing this?

      I think if they allow their insecure products to be freely exploited they would look even worse.

    3. David 132 Silver badge
      Thumb Up

      Re: Cool, but why are Microsoft doing this?

      I actually emailed the article author just after publication, asking this exact question. I'm not sure how I feel about a private company like Microsoft being able to seize domains - even if, in this case, it's for a good cause. Some context would be really helpful.

      1. Anonymous Coward
        Anonymous Coward

        Re: Cool, but why are Microsoft doing this?

        "I'm not sure how I feel about a private company like Microsoft being able to seize domains."

        I am sure how I feel about a private person being able to seize countries

        1. John Savard

          Re: Cool, but why are Microsoft doing this?

          I don't know. If Elon Musk could seize Russia, I wouldn't mind.

          1. redpawn

            Re: Cool, but why are Microsoft doing this?

            You might well in the end.

      2. Stuart Castle Silver badge

        Re: Cool, but why are Microsoft doing this?

        RE: "Microsoft being able to seize domains"

        I'm not comfortable with any private company having the right to seize any domains they want, but we don't know the domains seized. If they were similar to any Microsoft already have registered, or contained Microsoft product names, it may actually be easier for Microsoft to seize them than a legit law enforcement agency.

        After all, the law enforcement agencies might need to go through a potentially lengthy procedure, possibly involving a judge to issue the takedown. Any company logging the claim because their copyright has been infringed may just need to send a strongly worded letter or email to the domain registrar.

      3. Citizen of Nowhere

        Re: Cool, but why are Microsoft doing this?

        It does say in the article that they need judicial authorisation and that there is an “expedited” court process they follow to get it. It is true, though, that the author of the article rather skates over that aspect and more information on it would improve the article and provide a better context and better understanding.

    4. John Savard

      Re: Cool, but why are Microsoft doing this?

      Who will buy Microsoft Windows if it is an unreliable and insecure operating system? That and good PR in the United States is all the business reason that is needed.

      1. Doctor Syntax Silver badge

        Re: Cool, but why are Microsoft doing this?

        A question many of us have pondered. Almost everyone seems to be the answer.

  2. HildyJ Silver badge
    Go

    Why? Because it's the right thing.

    As many problems as I have with M$, even they can sometimes do the right thing with no ulterior motive.

    I whole heartily applaud this move.

    1. Denarius Silver badge

      Re: Why? Because it's the right thing.

      No ulterior motive ? Evidence for that assertion ? I hope its true, but history suggests otherwise. The big question is above. Why a company, not a lawful government taking over the domains? Almost as if western governments are just cover sheets for corporate clowns. Both are incompetent enough to be hard to distinguish at times. Taxpayer money and shareholders money, treated the same careless greedy way

    2. Anonymous Coward
      Anonymous Coward

      Re: Why? Because it's the right thing.

      As many problems as I have with M$, even they can sometimes do the right thing with no ulterior motive.

      It's a US company with a long and well documented dodgy history, so no chance.

      1. Craig 2

        Re: Why? Because it's the right thing.

        The "ulterior motive", as you put it, is the reputational damage resulting from more exploits and data losses from services they provide. It's in their interest to make Windows, Office, Azure etc as reliable as possible* which in the end means more customers.

        *I realize this is an open goal, discard that witty scathing comment now and move along..

  3. Kev99 Silver badge

    But, but, the internet is perfectly safe and secure. No one would ever be able to hack into our systems via it. Said no one with any brains or knowledge ever.

  4. RuffianXion
    Pint

    Have one of these for the Strontium Dog reference.

    1. David 132 Silver badge
      Thumb Up

      Squaxx dek Thargo, indeed.

  5. IGotOut Silver badge

    For a tech site...

    ... I'm surprised that so many people don't know MS have been doing this for years.

    https://isssource.com/microsoft-seizes-domain-names/

    1. cyberdemon Silver badge
      Devil

      Re: For a tech site...

      Yes I seem to remember a man named Michael Roe, who had a software company with a domain called mikeroesoft.com and he got similar treatment, for Microsoft are the self-appointed police of the internet and apparently nobody challenges that?

      1. Pascal

        Re: For a tech site...

        What Michael Roe got was a big cease-and-desist letter from Microsoft for what clearly looked like trademark infringement. When it came out that it was a kid that probably did that because he thought it was funny, they actually traded him training, an xbox, and all sorts of goodies for the domain. So in that other, legal-defense-of-their-brand case, MS actually treated the guy pretty well in the end.

        1. Anonymous Coward
          Anonymous Coward

          Re: For a tech site...

          In the end. But only after he went to the press.

  6. Anonymous Coward
    Anonymous Coward

    Targeted actions.....

    Can they work out the exact physical locations of the hostile hosting servers in russia, or the location of the bad actors?

    Darpa does have some new toys waiting to be put into use...

  7. RAMstein
    Thumb Up

    i see what you did there ;-)

    https://images.beastsofwar.com/2018/06/Strontium-Dog-Warlord-Games.jpg

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022