Microsoft said it has disrupted cyberattacks from a Russia-linked group called Strontium (aka APT28 and Fancy Bear) targeting Ukraine and the West. The software giant obtained a court order allowing it to take control of seven internet domains being used by Strontium to coordinate attacks. It announces the news shortly after the FBI said it disrupted botnets also run by the GRU.
"On Wednesday, April 6th, we obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these attacks," said Microsoft security VP Tom Burt. "We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium's current use of these domains and enable victim notifications."
Organizations targeted included Ukrainian institutions and media organizations, along with foreign policy government bodies in the US and EU. "We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information," Microsoft said.
Its actions are part of a larger effort by businesses and government to thwart a wave of attacks directed at Ukraine. Microsoft has been taking legal and technical action to seize infrastructure used by APT28 as part of an "ongoing long-term investment started in 2016," said Burt. "We have established a legal process that enables us to obtain rapid court decisions for this work."
The FBI announced yesterday that it had silently removed Russian malware that allowed the country's GRU military intelligence arm to create botnets using infected computer networks. Strontium has reportedly operated since the mid-2000s and has been linked to attacks against US government agencies, EU elections, NGOs, non-profits and other agencies.