Microsoft Seized Russian Domains Targeting Ukrainian Media Organizations
Microsoft has effectively acquired domains used by APT28, a Russian military intelligence-sponsored outfit that targets Ukrainian institutions.
Strontium — Microsoft’s moniker for APT28 or “Fancy Bear,” a hacking group linked to Russia’s GRU — used the domains to target multiple Ukrainian institutions, including media organisations, as well as government institutions and think tanks involved in foreign policy in the United States and Europe, according to a blog post published on Thursday.
“We believe Strontium was seeking to get long-term access to its targets’ computers, provide tactical assistance for a physical invasion, and exfiltrate sensitive data,” said Tom Burt, Microsoft’s vice president of customer security.
On April 6, Microsoft claimed it received a court order authorising it to take control of seven domains used by APT28 to carry out its cyberattacks.
“We’ve since redirected these names to a sinkhole maintained by Microsoft, allowing us to reduce Strontium’s present use of these domains while still enabling victim notifications,” Burt explained. “We informed the Ukrainian authorities of the activity we discovered and the actions we took.”
This action is part of a larger Microsoft investigation that began in 2016 against a Russian state-sponsored hacking gang. In recent years, Microsoft has won many court rulings allowing it to seize APT28’s infrastructure. Microsoft has so far filed 15 more lawsuits against the Russian-backed threat group, resulting in the seizure of over 100 malicious domains controlled by Russian spies.
Since at least 2009, the Russia-backed hacking group has been active, mostly targeting media, military, security institutions, and governments around the world, including a 2015 hack of the German federal parliament and a 2016 attack on the Democratic National Committee.
APT28 has also been linked to the recent cyber attack on Viasat, a US satellite communications company that caused satellite service interruptions across Central and Eastern Europe. According to a recent SentinelOne analysis, the attack was most likely the consequence of destructive wiper malware, which has infected thousands of household and small business routers and network equipment throughout the world. APT28 was blamed by the FBI in 2018 for the VPNFilter operation.
APT28’s attacks, according to Microsoft’s Burt, are “only a small part of the activity we’ve seen in Ukraine,” with the company having “seen practically all of Russia’s nation-state actors involved in the current full-scale offensive against Ukraine’s government and critical infrastructure.”
Microsoft’s domain seizures come only days after the FBI announced that it had taken down a huge GRU-run botnet.