APT28 Domains Used in Cyberattacks Against Ukraine Taken Down by Microsoft
The Domains Were Also Used in Attacks on Govt Institutions in the United States and Europe.
Microsoft was able to successfully disrupt cyberattacks targeting Ukraine that were conducted by the Russian APT28 cybercrime group after shutting down seven domains used as attack infrastructure.
What Is APT28?
The Russian-backed APT28 (also known as Fancy Bear or Strontium) hacking gang, which is connected to the GRU Russian military intelligence agency, is a threat actor that has been operational starting with 2004.
The domains that were taken down were used by the hacking group to target multiple Ukrainian entities, including media organizations.
According to BleepingComputer, they were also used in attacks on US and EU government agencies and think tanks involved in foreign policy.
Tom Burt, Corporate Vice President of Customer Security & Trust at Microsoft declared:
On Wednesday, April 6th, we obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these attacks.
We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications.
We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information.
APT28 hacking organization’s malicious activity and the disruption of attempts to hack targeted institutions’ networks in Ukraine were also reported to the Ukrainian government by Microsoft.
Governments Everywhere Targeted by the Hacking Group
Previously, in August 2018, Microsoft filed 15 more cases against the Russian-backed cybercrime gang, resulting in the seizure of 91 malicious domains.
This disruption is part of an ongoing long-term investment, started in 2016, to take legal and technical action to seize infrastructure being used by Strontium. We have established a legal process that enables us to obtain rapid court decisions for this work.
The developers of Fancy Bear have been associated with cyber-espionage operations against governments around the world, including a 2015 hack of the German federal parliament and 2016 attacks on the Democratic National Committee (DNC) and Democratic Congressional Campaign Committee (DCCC).
In 2020, numerous APT28 members were sanctioned by the Council of the European Union for their role in the 2015 cyberattack on the German Federal Parliament (Deutscher Bundestag).