ALEXANDRIA, Va. (CN) — Saying that it spends more than $1.3 million responding to each intrusion by the Barium cybertheft ring, Microsoft has brought a federal complaint to take down the hackers.
Represented by Alston & Bird attorney David Mohl, Microsoft filed its suit under seal on Oct. 26, but U.S. District Judge T. S. Ellis unsealed the 33-page complaint Tuesday in Alexandria.
“Barium is highly sophisticated, well-resourced, organized, and patient,” the complaint states. “Barium specializes in targeting high value organizations holding sensitive data, by gathering extensive information about their employees through publicly available information and social media, using that information to fashion phishing attacks intended to trick those employees into compromising their computers and networks, compromising legitimate enterprise software provider’s products not protected by antivirus software, and disguising its activities using the names of Microsoft and other legitimate companies.”
Microsoft says Barium hackers have two ways of compromising the computers of its targets.
In a “spear phishing attack,” the hackers first identify individuals in the human-resources and business-development departments of certain organizations, even collecting information about those individuals on social media websites.
The hackers then send targeted emails to those individuals using information about ongoing projects, which makes the emails seem authentic. If the recipients download attachments from the phishing email, their computers become infected with a difficult-to-detect malware.
The remote-access “trojans” put in place by the malware” allow Barium to gather a victim’s information, control a victim’s device, install additional malware, and exfiltrate information from a victim’s device,” according to the complaint.
Microsoft also discovered that the hackers configure their malware to communicate with fake profile pages on various social media websites like Facebook and LinkedIn.
“Once installed on victims’ computers, the malware is designed to reach out to these fake website profiles and documents and search for particular text strings (pre-defined textual ‘anchors’), such as comments or random alphanumeric text, that can be decoded and read by the malware to obtain configuration files and the IP addresses and ports of other C&C servers,” the complaint states, using abbreviations for internet protocol and command and control servers. “Once the malware decodes the text strings, it is able to connect to C&C servers from which it obtains additional instructions and to which it sends stolen information.”
Despite their careful work to evade detection, the hackers “used the same email address (firstname.lastname@example.org) to register malicious domains used in connection with at least two toolsets that Barium has employed to compromise victim computers,” Microsoft says.
It notes that Barium registered the domains notped.com and operatingbox.com using this email address, and Barium also linked the same email address to a Microsoft account (email@example.com) that was used to create malware-configuring profiles on the Microsoft Forums website TechNet.
Neither Microsoft nor attorney Mohl have returned requests for comment on the lawsuit.
“Microsoft supports customers who have been victims of Barium,” the complaint states. “Mitigating Barium intrusions on customer networks is often extremely expensive. In typical cases where Microsoft’s Global Incident Response and Recovery team supports an intrusion response related to Barium, average costs can range from 250,000 to approximately 1.3 million dollars per incident or more.”