Microsoft has successfully seized domains used by APT28, a state-sponsored group operated by Russian military intelligence, to target institutions in Ukraine.
The tech giant said in a blog post on Thursday that Strontium — Microsoft’s moniker for APT28 or “Fancy Bear,” a hacking group linked to Russia’s GRU — used the domains to target multiple Ukrainian institutions, including media organizations, as well as government institutions and think tanks involved in foreign policy in the U.S. and Europe.
“We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information,” said Tom Burt, Microsoft’s vice president for customer security.
Microsoft said it obtained a court order on April 6 that authorized the company to take control of seven domains APT28 was using to carry out its cyberattacks. “We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications,” Burt added. “We have notified Ukraine’s government about the activity we detected and the action we’ve taken.”
This action is part of a wider Microsoft investigation into the Russian state-sponsored hacking group that started back in 2016. Microsoft has obtained several court decisions in recent years to seize infrastructure being used by APT28. To date, Microsoft has filed 15 other cases against the Russian-backed threat group, leading to the seizure of more than 100 malicious domains controlled by the Russian spies.
Read the story via TechCrunch