Gabriel M. Ramsey

When a foreign hacking group called “Strontium” or “Fancy Bear”—believed to be associated with Russia’s military intelligence agency, the GRU—attacked Microsoft Corp. and its political, government and defense customers, Ramsey developed a cybercrime deterrence plan.

“These actors send phishing emails to victims with links to particular URLs where they are to type in their credentials,” Ramsey said. “When that happens, the actors now have access to a lot of information.”

As Ramsey and colleagues explained in briefing to U.S. District Judge Liam O’Grady of Alexandria, Virginia, the actors’ malware infected the target computers of Microsoft’s customers, “deceiving them by misuse of Microsoft’s trademarks, and stealing computer users’ online login credentials, personal information and highly sensitive and proprietary data.” The intrusions “caused extreme and irreparable injury to Microsoft, its customers and the public.”

Through the novel application of federal hacking, trademark and state laws, Ramsey obtained injunctions transferring control of the Strontium actors’ infrastructure to Microsoft, enabling the client to assist victims in mitigating the threat.

“The court order says that once we demonstrate that the domains are malicious, we can gain control. So now we are on the inside looking out, just as the defendants were a minute ago,” Ramsey said. “That lets us better see exactly who the victims are. Our whole goal is to protect them. They may not even know they have been compromised. Microsoft Corp. v. Does 1-2, 1:16-cv-00993 (E.D. Va., filed Aug. 5, 2016).

“We have done this before, and usually once the defendants’ infrastructure has been taken down they scurry off and keep their heads down,” he added. “But these alleged state actors keep coming back. They don’t seem to care.”

Ramsey developed, and the court put in place, an ongoing process overseen by a special master, so that within 24 to 48 hours of Microsoft discovering another effort by Strontium to use fake domains, they can be taken down and transferred to the client.

In 2018, this enabled Microsoft to assist parties associated with the U.S. mid-term elections to avoid being infected by new attacks.

“What’s new here is the special master structure that lets us continually police the injunction,” Ramsey said. Microsoft reported it used the approach 12 times over two years to shut down 84 fake websites associated with Strontium.

“My practice is litigation focused, and that goes hand in hand with breach deterrence and enforcement,” Ramsey said. “My role often is to work with the government to identify the bad actors and then use legal tools to hold them accountable. Part of the role is to be an investigator, and that part is fascinating.”

– John Roemer