Microsoft has successfully seized domains used by APT28, a state-sponsored group run by Russian military intelligence, to attack institutions in Ukraine.
The tech giant said in a blog post Thursday that strontium — Microsoft’s nickname for APT28, or “fancy bear,” a hacker group linked to the Russian GRU — is targeting several Ukrainian institutions, including media organizations as well as government agencies and think tanks. use. , Tanks are involved in the foreign policy of America and Europe.
Tom Burt, Microsoft’s vice president of customer security, said: “We think Strontium was trying to gain long-term access to its targets’ systems, provide strategic support for physical attacks, and weed out sensitive information.”
Microsoft says it received a court order on April 6 allowing the company to gain control of seven domains that APT28 used to carry out its cyberattacks. “We’ve since converted those domains to a Microsoft-enabled funnel, allowing us to reduce Strontium’s current usage of those domains and enable victim notifications,” Burt said. “We have informed the Ukrainian government of the activities we discovered and the measures we have taken.”
The move is part of a broader investigation by Microsoft into a Russian state-sponsored hacking group that was launched in 2016. In recent years, Microsoft has received several court orders to confiscate the infrastructure used by APT28. To date, Microsoft has opened 15 more cases against the Russian-backed threat group, resulting in the seizure of more than 100 malicious domains controlled by Russian spies.
The Russian-backed hacking group has been active since at least 2009 and primarily targets the media, military, security organizations and governments around the world, including the 2015 hack of the German federal parliament and the 2016 attack on the Democratic National Committee.
APT28 has also been linked to a recent cyberattack on US satellite provider Viasat, an incident that disrupted satellite communications in Central and Eastern Europe. A recent report by SentinelOne states that the attack was likely caused by destructive Viper malware similar to VPNFilter malware that has infected thousands of home and small business routers and network devices around the world. In 2018, the FBI accused APT28 of running VPNFilter.
Microsoft’s Burt said the APT28 attack is “a small part of the activity we’re seeing in Ukraine,” adding that the company “detained virtually every Russian state involved in the ongoing massive attack on the Ukrainian government.” actors.” and critical infrastructure. ,
Just days after the Microsoft domain was confiscated, the FBI said it had taken down a giant GRU-controlled botnet.