With a court order, the company seized seven domains related to APT28 – a Russian military hacking unit operating since 2004. The group has been attacking critical Ukraine organizations during the war, aiming to steal sensitive data and perform tactical attacks when needed.
Crippling a Russian APT’s Infrastructure
While it’s known that most developed nations have a state-backed threat group, Russia maintains several of them delegated to each of their special units. And APT28 is something that’s tied to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. Operating since 2004, the APT28 is also known as Strontium or Fancy Bear and is aimed at spying on targeted individuals or institutions. This is to provide tactical support to Russia when needed, by stealing sensitive information through a bunch of domains used in their attacks. But, Microsoft has successfully disrupted this by taking control over seven of its domains, as per Tom Burt, Corporate Vice President of Customer Security & Trust at Microsoft. He said; “On Wednesday, April 6th, we obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these attacks.” Microsoft has been filing cases in the US against this APT since August 2018, and successfully seized 91 malicious domains to date. Microsoft also said the concerned domains are used in cyberattacks against US and EU government institutions in past, and now on Ukrainian organizations. Thus, by seizing them, Microsoft is able to “re-directed these domains to a sinkhole controlled by Microsoft,” thereby mitigating APT28’s current use of these domains. The company also notified the Ukrainian government about APT28’s malicious activity and offered tips on how to stay secure against such attacks.