UPDATED 23:30 EDT / APRIL 07 2022

SECURITY

Microsoft seizes domains linked to Russian hacking group targeting Ukraine

Microsoft Corp. today said it has taken control of seven internet domains linked to a Russian state-sponsored hacking group that was actively targeting sites and companies in Ukraine.

The takedown targeted the Russian hacking group Strontium, also known as APT28 and Fancy Bear. Microsoft had previously taken down domains linked to the group in 2018.

Microsoft’s takedown of the latest domains used by Fancy Bear started with a court order on April 6. The court order authorized Microsoft to take control of seven internet domains the hacking group was using. Since taking control of the domains, Microsoft has since redirected these domains to a so-called sinkhole, allowing Microsoft both to mitigate the attacks and to enable victim notification.

Although the domains were being used to target Ukrainian institutions, including media outlets, the Strontium attacks were not limited to Ukraine. Microsoft noted that the hacking group was also targeting government institutions and think tanks in the U.S. and Europe that involved foreign policy.

Microsoft believes Strontium has a long-term goal to establish access to the systems of its targets to provide tactical support for the physical invasion of Ukraine and exfiltrate sensitive information.

“This disruption is part of an ongoing long-term investment, started in 2016, to take legal and technical action to seize infrastructure being used by Strontium, Tom Burt, corporate vice president, customer security and trust at Microsoft, said in a blog post today. “We have established a legal process that enables us to obtain rapid court decisions for this work. Prior to this week, we had taken action through this process 15 times to seize control of more than 100 Strontium controlled domains.”

Before the Russian invasion of Ukraine, Strontium, more commonly known as Fancy Bear, was the subject of a joint U.S. and U.K. security warning.

In July, U.S. National Security Agency, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency, the Federal Bureau of Investigation and the U.K. National Cyber Security Center warned that the hacking group was conducting a campaign of brute-force attacks to gain access to networks and steal data.

Fancy Bear/Strontium was found to be using a Kubernetes cluster to conduct widespread, distributed and anonymized brute-force access attempts against hundreds of government and private sector targets worldwide. The campaign primarily targeted organizations using Microsoft Corp.’s Office 365 clouds services and also targeted other service providers and on-premises email servers using a variety of protocols.

Photo: Kremlin

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU