Microsoft has taken control of domains used by APT28, a state-sponsored hacking outfit, to target institutions in Ukraine. These institutions include media outlets as well as state agencies and think tanks involved in foreign policy in the United States and Europe.
Microsoft was able to seize domains used by APT28, a state-sponsored outfit run by Russian military intelligence that targeted Ukrainian institutions.
Strontium — Microsoft’s moniker for APT28 or “Fancy Bear,” a hacking group linked to Russia’s GRU — used the domains to target multiple Ukrainian institutions, including media organisations, as well as government institutions and think tanks involved in foreign policy in the United States and Europe, according to a blog post published on Thursday.
“We think Strontium’s goal was to establish long-term access to its targets’ systems, provide tactical support for the physical invasion, and exfiltrate crucial information,” said Tom Burt, Microsoft’s vice president of customer security.
Microsoft claims it secured a court judgement on April 6 authorising it to seize ownership of seven domains used by APT28 to conduct cyberattacks.
“We have since redirected these names to a sinkhole maintained by Microsoft, allowing us to mitigate Strontium’s present use of these domains and enable victim notifications,” Burt continued.
“We informed Ukrainian authorities about the behaviour we saw and the steps we took.”
This action is part of a larger Microsoft investigation that began in 2016 against the Russian state-sponsored hacking outfit. Microsoft has received many court orders in recent years to confiscate APT28 equipment.
Microsoft has filed 15 additional charges against the Russian-backed threat group, resulting in the seizure of more than 100 malicious domains controlled by Russian agents.
The Russia-backed hacking group has been active since at least 2009, mostly targeting media, military, security, and government organisations around the world, including a 2015 hack of the German federal parliament and a 2016 attack on the Democratic National Committee.
APT28 has also been linked to the recent cyberattack on Viasat, a US satellite communications operator, which caused satellite service failures across Central and Eastern Europe.
According to a recent investigation, the attack was most likely the consequence of destructive wiper software, which is similar to the VPNFilter malware, which infected thousands of household and small business routers and network equipment throughout the world. The FBI linked the VPNFilter operation to APT28 in 2018.
According to Microsoft’s Burt, APT28’s attacks “represent just a small component of the activity we’ve seen in Ukraine,” and the company has “seen practically all of Russia’s nation-state actors involved in the current full-scale offensive against Ukraine’s government and key infrastructure.”
Microsoft’s domain seizures come only days after the FBI announced the takedown of a major botnet managed by the GRU