Microsoft disrupted APT28 attacks on Ukraine through a court order

Pierluigi Paganini April 08, 2022

Microsoft obtained a court order to take over seven domains used by the Russia-linked APT28 group to target Ukraine.

Microsoft on Thursday announced it has obtained a court order to take over seven domains used by Russia-linked cyberespionage group APT28 in attacks against Ukraine.

The APT28 group (aka Fancy BearPawn StormSofacy GroupSednit, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

Most of APT28s’ campaigns leveraged spear-phishing and malware-based attacks.

The court order allowed the IT giant to sinkhole the domains which mean that the company was able to redirect the traffic to the seized domain to an infrastructure controlled by Microsoft. This practice allows the researchers to analyze the traffic and the nature of the malicious agents employed in the attacks along with mapping the audience of the victims.

“We recently observed attacks targeting Ukrainian entities from Strontium, a Russian GRU-connected actor we have tracked for years. This week, we were able to disrupt some of Strontium’s attacks on targets in Ukraine. On Wednesday April 6th, we obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these attacks.” reads the announcement published by Microsoft. “We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications.”

According to Microsoft, the APT28 group used the domains as part of an attack infrastructure employed in attacks against Ukrainian institutions, including media organizations, US government institutions and think tanks, and the European Union involved in foreign policy.

Strontium was using this infrastructure to target Ukrainian institutions, including media organizations. It was also targeting government institutions and think tanks in the United States and the European Union involved in foreign policy. 

The attacks launched through this infrastructure are part of a campaign conducted by the APT28 group to establish long-term access to the systems of its targets and exfiltrate sensitive information.

Microsoft notified Ukraine’s government about the campaign, it also added that Ukrainian entities were targeted by other Russia-linked cyberespionage groups since the beginning of the invasion.

This isn’t the first time that Microsoft obtained a court order to seize infrastructure being used by threat actors like APT28.

Microsoft used the lawsuit to disrupt a large number of cyber espionage campaigns conducted by the infamous Fancy Bear APT hacking group (APT28SofacySednit, and Pawn Storm). The experts with the help of the authorities took over the command and control infrastructure of the group in order to analyze the traffic and the targets of the malware by using the lawsuit as a tool.

“We have established a legal process that enables us to obtain rapid court decisions for this work. Prior to this week, we had taken action through this process 15 times to seize control of more than 100 Strontium controlled domains.” concludes Microsoft. “The Strontium attacks are just a small part of the activity we have seen in Ukraine. We have observed nearly all of Russia’s nation-state actors engaged in the ongoing full-scale offensive against Ukraine’s government and critical infrastructure, and we continue to work closely with government and organizations of all kinds in Ukraine to help them defend against this onslaught.”

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit:  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT28)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment