After shutting down seven domains used as attack infrastructure, Microsoft succeeded in stopping cyberattacks against Ukrainian targets organized by the Russian APT28 hacking gang. Strontium (aka Fancy Bear or APT28) was linked to Russia’s military intelligence service GRU and exploited these domains to attack several Ukrainian institutions, including media sources. The domains were also employed in attacks on organizations involved in foreign policy and think tanks in the United States and Europe.
“On Wednesday, April 6th, we obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these attacks,” as stated by Tom Burt, Corporate Vice President of Customer Security & Trust at Microsoft. “We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications.”
According to Microsoft, Strontium sought long-term access to its targets’ computers, gave tactical assistance for the physical invasion, and exfiltrated sensitive data. Strontium’s harmful behavior was also reported to the Ukrainian authorities, which resulted in the suspension of attempts to breach targeted firms’ networks in Ukraine.
In August 2018, Microsoft filed 15 other complaints against the Russian-backed threat group, resulting in the seizure of 91 malicious domains. Burt also said this disruption is a segment of a long investment that began in 2016 to seize infrastructure employed by Strontium using legal and technological means. They have built a legal mechanism to get speedy court judgments for this work.
APT28 has been acting on behalf of the 85th Main Special Service Center (GTsSS) military unit 26165 of Russia’s General Staff Main Intelligence Directorate (GRU) since at least 2004. Its operators have been linked to cyber-espionage activities against governments all over the globe, including a 2015 hack of the German federal parliament and 2016 cyberattacks on the Democratic National Committee (DNC) and Democratic Congressional Campaign Committee (DCCC).
The US has charged members of this Russian military hacking team with hacking the DNC and DCCC in 2018, as well as targeting and hacking specific members of the Clinton campaign. Multiple APT28 members were sanctioned by the European Union Council two years later for their role in the 2015 breach of the German Federal Parliament (Deutscher Bundestag).