After taking down seven domains used as attack infrastructure, Microsoft successfully disrupted attacks against Ukrainian targets coordinated by the Russian APT28 hacking group.
Strontium (also known as Fancy Bear or APT28), a Russian military intelligence service linked to the GRU, used these domains to target a variety of Ukrainian institutions, including media organisations.
The domains were also used in attacks on US and EU government institutions and foreign policy think tanks.
“On Wednesday, April 6th, we obtained a court order authorising us to take control of seven internet domains used by Strontium to conduct these attacks,” said Tom Burt, Microsoft’s Corporate Vice President of Customer Security & Trust.
“We have since redirected these domains to a Microsoft-controlled sinkhole, allowing us to mitigate Strontium’s current use of these domains and enable victim notifications.”
“We believe Strontium was attempting to gain long-term access to its targets’ systems, to provide tactical support for the physical invasion, and to exfiltrate sensitive information.”
Microsoft also alerted the Ukrainian government to Strontium’s malicious activity and the disruption of efforts to compromise the networks of targeted organisations in Ukraine.
Microsoft has filed a series of lawsuits against APT28, including one that led to the seizure of 91 malicious domains in August 2018. This disruption is part of an ongoing long-term investment, started in 2016, to take legal and technical action to seize infrastructure being used by Strontium.
