A few days ago, TechCrunch reported that Microsoft had successfully seized domains used by APT28. The latter is a state-sponsored group operated by Russian military intelligence. At the moment, it targets institutions in Ukraine.
As Microsoft wrote in a blog post, Strontium (Microsoft’s moniker for APT28 or “Fancy Bear”) used various domains to target multiple Ukrainian institutions. Among them, we can mention media organizations, government institutions, etc. Almost all those organizations and institutions that had been involved in foreign policy in the U.S. and Europe automatically became the target of APT28.
“We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information,” said Tom Burt, Microsoft’s vice president for customer security.
Microsoft obtained a court order on April 6. The latter allowed the Redmond-based company to take control of seven domains APT28 was using to carry out its cyberattacks. “We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications,” Burt added. “We have notified Ukraine’s government about the activity we detected and the action we’ve taken.”
This Is Not A Sole Case
However, this is not the sole action taken by Microsoft against Russia. It’s part of a wider investigation into the Russian state-sponsored hacking group. The latter started its activity in 2016. Thus, Microsoft is constantly struggling against ATP28. Thanks to several court decisions in recent years, it could seize the infrastructure being used by APT28. In total, Microsoft has filed 15 other cases against the Russian hackers to date. In effect, there have been more than 100 malicious domains seized by the company.
Though Microsoft has been fighting against this group since 2016, the ATP28 has been active since 2009. They were targeting basically media, military, security organizations, and governments worldwide. They even hacked the German federal parliament in 2015 and an attack against the Democratic National Committee in 2016.
This hacking group was also linked to the cyberattack on U.S. satellite communications provider Viasat. The attack is thought to be the result of destructive wiper malware, which was sharing similarities with the VPNFilter malware. The latter infected myriads of home and small business routers and network devices worldwide.
Interestingly but not surprisingly, Microsoft said that APT28’s attacks “are just a small part of the activity we have seen in Ukraine.”