Microsoft Secures Court Order to Seize Domains Used to Target Ukraine

Microsoft yesterday disclosed that it secured a court order letting it take control of several domains belonging to APT28, a state-sponsored Russian military intelligence group, to hamper the group’s attacks against Ukraine.

The company recently noticed attacks against Ukrainian targets from Strontium, a Russian actor connected to GRU (Main Intelligence Directorate) that Microsoft tracked for years.

APT28 is a cyber espionage and APT (Advanced Persistent Threat) group active since 2009. The group operated under names including Sofacy, Pawn Storm, Iron Twilight, Sednit, Fancy Bear and Strontium, mainly attacking security-oriented military, media, governments and international non-governmental organizations (NGOs).

Microsoft said in a blog post that the company disrupted some of the group’s attacks aimed at Ukraine. Earlier this week, it obtained a court order that authorizes it to seize seven Internet domains used by Strontium to conduct these malicious operations.

Microsoft then redirected the captured domains to a company-controlled sinkhole, neutralizing the threat actor’s weaponization of the domains and allowing them to notify potential victims.

“Strontium was using this infrastructure to target Ukrainian institutions including media organizations,” the blog post reads. “It was also targeting government institutions and think tanks in the United States and the European Union involved in foreign policy.”

“We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information. We have notified Ukraine’s government about the activity we detected and the action we’ve taken,” the document continues.

The tech giant adds that the Strontium attacks are just the tip of the iceberg amid an “onslaught of cyberwarfare that has escalated since the invasion began and has continued relentlessly.”