Microsoft dogs Strontium domains to stop attacks on Ukraine

Microsoft this week seized seven internet domains run by Russia-linked threat group Strontium, which was using the infrastructure to target Ukrainian institutions as well as think tanks in the US and EU, apparently to support Russian's invasion of its neighbor.

The seizure is also part of a long-running legal and technical hunt by Microsoft to disrupt the work of Strontium – aka APT28 and FancyBear, among other names – via an expedited court process that enables the company to quickly get judicial approval for such actions, according to Tom Burt, corporate vice president of customer security and trust at Microsoft.

Before the latest seizures, Microsoft had used this process 15 times to take over more than 100 domains controlled by Strontium, which is thought to be run by the GRU, Russia's foreign military intelligence agency. Microsoft obtained a court order for the most recent operation on April 6 and acted immediately.

After taking control of the infrastructure, Microsoft redirected the domains to a sinkhole it controls, enabling the company to mitigate Strontium's attacks and notify the victims.

"Strontium was using this infrastructure to target Ukrainian institutions including media organizations," Burt wrote. "It was also targeting government institutions and think tanks in the United States and the European Union involved in foreign policy. We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information."

Redmond contacted Ukrainian government officials about Strontium's activities and Microsoft's actions, he wrote.

The latest case involving Strontium illustrates the state of modern warfare, with the battle in cyberspace running alongside the military battles going on in the physical world.

• Russian media watchdog bans Google from advertising its services
• Russia (still) trying to weaponize Facebook for spying, Ukraine-war disinfo
• Intel suspends all operations in Russia weeks after halting chip shipments
• Google: Russian credential thieves target NATO, Eastern European military

"The Strontium attacks are just a small part of the activity we have seen in Ukraine," Burt said. "Before the Russian invasion, our teams began working around the clock to help organizations in Ukraine, including government agencies, defend against an onslaught of cyberwarfare that has escalated since the invasion began and has continued relentlessly."

Since the invasion, Microsoft has seen "nearly all of Russia's nation-state actors engaged in the ongoing full-scale offensive against Ukraine's government and critical infrastructure, and we continue to work closely with government and organizations of all kinds in Ukraine to help them defend against this onslaught."

Microsoft's threat intelligence researchers are working on a more comprehensive report about the scope of the cyberwar surrounding the invasion of Ukraine, he said.

Russia and its allies started their cyberattacks on Ukraine in the run-up to the invasion, which began February 24, and have only increased their efforts since, targeting both Ukrainian government agencies and private companies as well as government organizations around the world that have shown sympathy for Ukraine or participated in the mounting sanctions against the country.

In that vein, the US government agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA) and its Shields Up alert, and Western allies have warned enterprises to harden their cybersecurity efforts to protect against spillover from Russian cyber-activities in Eastern Europe.

Most recently, Facebook parent Meta said this week that the social media giant is continuing to push back against a surge of cyber-spying and disinformation campaigns by Russia and its agents related to the Ukraine invasion. The efforts have come not only from Russia, but also Belarus as well as Russia-linked threat groups like Ghostwriter, Meta said. ®