Microsoft Seizes Russian Domains Targeting UkraineTech Firm Seizes 7 Domains Used by APT28/Strontium to Establish Persistent Access
Technology giant Microsoft says it has seized control of seven domains that belonged to Russian GRU -linked, state-sponsored threat group Strontium. The group, also known as APT28 and Fancy Bear, used the domains to target Ukrainian institutions, such as its media organizations, and also had U.S. and European Union government entities and decision-makers on its radar, Microsoft says.
Tom Burt, corporate vice president of customer security and trust for Microsoft, in a blog post published on Thursday says, "On April 6, we obtained a court order authorizing us to take control of seven internet domains [that] Strontium was using to conduct these attacks. We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications."
According to Microsoft, Strontium was trying to establish persistent access or establish backdoors in its targeted systems. The aim of this move may have been to provide tactical support for Russia's physical invasion into Ukraine and to exfiltrate sensitive information, Burt says.
Ukraine's government has been made aware of this activity and the subsequent action that Microsoft has taken, the company says.
Neither Microsoft nor Burt specified the malicious activities that were carried out from these seven seized domains, but David Cuddy, general manager for public affairs at Microsoft, says in a tweet that they were primarily being used for phishing attempts.
This is one of the phishing attempts from Strontium. pic.twitter.com/c2bOEUIEqB— David Cuddy (@dacuddy) April 7, 2022
Ongoing Campaign Against Strontium
The current disruption and seizure of Strontium's illicit infrastructure is part of an "ongoing long-term investment," Burt says. Since 2016, Microsoft has been taking legal and technical action to seize infrastructure being used by Strontium (see: Microsoft Battles Fancy Bear Hackers - With Lawyers).
To do this, Microsoft says it "established a legal process that enables us to obtain rapid court decisions." Prior to this week's seizure, Microsoft has taken action 15 times through this process to seize control of more than 100 Strontium-controlled domains.
In its annual Digital Defense Report, the technology firm says that Strontium attempted to infiltrate user accounts across all continents, but that the group is "predominantly focused on organizations based in the U.S., followed by Ukraine, the U.K., and NATO allies and member states across Europe." Microsoft says Russia's declaration that these countries are "unfriendly" is the major reason for that.
In September 2019, Strontium attempted to attack more than 200 election-related organizations, including political campaigns, advocacy groups, parties and political consultants, according to Microsoft's Threat Intelligence Center (see: Final Report: More 2016 Russian Election Hacking Details).
Since 2016, Strontium has updated its tactics, adding new reconnaissance tools and obfuscation techniques, Microsoft says. The APT group now focuses on brute-force and password-spraying attacks, which it runs through more than 1,000 constantly rotating IP addresses, many of which use the Tor anonymizing network.
Microsoft says the Strontium attacks are just a small part of the high volume of activity that it has seen in Ukraine. "Before the Russian invasion, our teams began working around the clock to help organizations in Ukraine, including government agencies, defend against an onslaught of cyberwarfare that has escalated since the invasion began and has continued relentlessly," Burt says.
Yuriy Shchyhol, head of the State Service for Special Communications and Information Protection of Ukraine, on March 28 acknowledged Microsoft's support to Ukraine to thwart these cyberattacks, which were targeted at critical infrastructure. At the time, Shchyhol said, "Ukraine is helped by all the world's leading IT companies, including giants such as Microsoft and Oracle."
Since the beginning of the invasion, Microsoft has observed nearly all Russian nation-state actors engaged in the ongoing full-scale offensive against Ukraine's government and critical infrastructure. "We continue to work closely with the government and organizations of all kinds in Ukraine to help them defend against this onslaught. In the coming weeks we expect to provide a more comprehensive look at the scope of the cyberwar in Ukraine," Microsoft says.
The Ukrainian CERT has published information on the distribution of a malicious email - with the subject "No. 1275 from 07.04.2022" - containing an HTML file of the same name. On opening the file, an archive on the computer named "1275_07.04.2022.rar " is created, and it contains a LNK file called "On the facts of persecution and murder of prosecutors by the Russian military in the temporarily occupied territories.lnk." When opened, this file downloads and launches a malicious payload. CERT-UA attributes this activity to the Russian attack group UAC-0010, aka Armageddon/Gameredon/Primitive Bear.
Earlier, in a similar operation, Microsoft seized control of 99 website domains allegedly used by the Iranian threat group Phosphorus in a spear-phishing campaign. The group had targeted journalists and activists throughout the Middle East (see: Microsoft Takes Control of 99 Websites From APT Group)
In December 2021, Microsoft received a court order from the U.S. District Court for the Eastern District of Virginia that granted Microsoft's request to seize websites used by a China-based threat group called Nickel to gather intelligence from government agencies, think tanks and human rights organizations in the U.S. and 28 other countries, according to the company (see: Microsoft Gets Court Order to Disrupt Chinese Cyber Ops).