Microsoft Takes Down APT28 Domains Used in Attacks Against Ukraine
Microsoft has successfully disrupted attacks against Ukrainian targets coordinated by the Russian APT28 hacking group after taking down seven domains used as attack infrastructure.
Strontium (also tracked as Fancy Bear or APT28), linked to Russia’s military intelligence service GRU, used these domains to target multiple Ukrainian institutions, including media organizations.
The domains were also used in attacks against US and EU government institutions and think tanks involved in foreign policy.
“On Wednesday, April 6th, we obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these attacks,” said Tom Burt, Corporate Vice President of Customer Security & Trust at Microsoft.
“We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications.
“We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information.”
Microsoft also notified the Ukrainian government about Strontium’s malicious activity and the disruption of efforts to compromise targeted organizations’ networks in Ukraine.
Linked to hacks targeting governments worldwide
Before this, Microsoft filed 15 other cases against this Russian-backed threat group in August 2018, leading to the seizure of 91 malicious domains.
“This disruption is part of an ongoing long-term investment, started in 2016, to take legal and technical action to seize infrastructure being used by Strontium. We have established a legal process that enables us to obtain rapid court decisions for this work,” Burt added.
APT28 has been operating since at least 2004 on behalf of Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.
Its operators are linked to cyber-espionage campaigns targeting governments worldwide, including a 2015 hack of the German federal parliament and attacks against the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee (DCCC) in 2016.
Members of this Russian military hacking unit have been charged by the US for hacking the DNC and the DCCC in 2018, and for targeting and hacking individual members part of the Clinton Campaign.
Two years later, the Council of the European Union announced sanctions against multiple APT28 members for their involvement in the 2015 hack of the German Federal Parliament (Deutscher Bundestag).