Microsoft seized Russian domains targeting Ukrainian media organizations

Cybercrime , Cybercrime as-a-service , Cyberwarfare / Nation-State Attacks

Microsoft Seizes Russian Domains Targeting Ukraine

Tech Firm Seizes 7 Domains Used by APT28 /Strontium to Institute Persistent Access

•
Apr 8, 2022

Technology giant Microsoft says information technology has seized command of seven domains that belonged to Russian GRU -linked, state-sponsored threat group Strontium. The grouping, also known as APT28 and Fancy Bear, used the domains to target Ukrainian institutions, such equally its media organizations, and besides had U.S. and Eu government entities and decision-makers on its radar, Microsoft says.

See Also:
OnDemand | Understanding Homo Behavior: Tackling Retail’due south ATO & Fraud Prevention Claiming

Tom Burt, corporate vice president of customer security and trust for Microsoft, in a blog post published on Th says, “On April 6, we obtained a courtroom club authorizing us to take control of vii internet domains [that] Strontium was using to conduct these attacks. Nosotros have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’south electric current use of these domains and enable victim notifications.”

According to Microsoft, Strontium was trying to plant persistent access or constitute backdoors in its targeted systems. The aim of this move may accept been to provide tactical back up for Russia’s physical invasion into Ukraine and to exfiltrate sensitive information, Burt says.

Ukraine’s government has been fabricated aware of this activeness and the subsequent action that Microsoft has taken, the company says.

Neither Microsoft nor Burt specified the malicious activities that were carried out from these seven seized domains, but David Cuddy, general manager for public affairs at Microsoft, says in a tweet that they were primarily being used for phishing attempts.

This is 1 of the phishing attempts from Strontium. flick.twitter.com/c2bOEUIEqB

— David Cuddy (@dacuddy) April seven, 2022

Ongoing Campaign Against Strontium

The current disruption and seizure of Strontium’s illicit infrastructure is part of an “ongoing long-term investment,” Burt says. Since 2016, Microsoft has been taking legal and technical action to seize infrastructure being used past Strontium (come across:
Microsoft Battles Fancy Deport Hackers – With Lawyers).

To practice this, Microsoft says it “established a legal procedure that enables u.s. to obtain rapid court decisions.” Prior to this week’southward seizure, Microsoft has taken activity 15 times through this process to seize control of more 100 Strontium-controlled domains.

In its annual Digital Defense Report, the technology business firm says that Strontium attempted to infiltrate user accounts across all continents, merely that the group is “predominantly focused on organizations based in the U.S., followed past Ukraine, the U.K., and NATO allies and member states across Europe.” Microsoft says Russia’s declaration that these countries are “unfriendly” is the major reason for that.

In September 2022, Strontium attempted to set on more 200 election-related organizations, including political campaigns, advocacy groups, parties and political consultants, according to Microsoft’south Threat Intelligence Center (run across:
Final Written report: More than 2016 Russian Election Hacking Details).

Since 2016, Strontium has updated its tactics, adding new reconnaissance tools and obfuscation techniques, Microsoft says. The APT grouping now focuses on brute-force and password-spraying attacks, which it runs through more than ane,000 constantly rotating IP addresses, many of which use the Tor anonymizing network.

Targeting Ukraine

Microsoft says the Strontium attacks are simply a small part of the high volume of activity that it has seen in Ukraine. “Earlier the Russian invasion, our teams began working around the clock to help organizations in Ukraine, including government agencies, defend against an onslaught of cyberwarfare that has escalated since the invasion began and has continued relentlessly,” Burt says.

Yuriy Shchyhol, head of the Country Service for Special Communications and Data Protection of Ukraine, on March 28 acknowledged Microsoft’s support to Ukraine to thwart these cyberattacks, which were targeted at critical infrastructure. At the time, Shchyhol said, “Ukraine is helped past all the world’s leading IT companies, including giants such as Microsoft and Oracle.”

Since the beginning of the invasion, Microsoft has observed near all Russian nation-state actors engaged in the ongoing full-scale offensive against Ukraine’due south government and critical infrastructure. “Nosotros go along to work closely with the regime and organizations of all kinds in Ukraine to aid them defend against this onslaught. In the coming weeks nosotros expect to provide a more than comprehensive look at the scope of the cyberwar in Ukraine,” Microsoft says.

The Ukrainian CERT has published information on the distribution of a malicious e-mail – with the bailiwick “No. 1275 from 07.04.2022” – containing an HTML file of the same name. On opening the file, an archive on the reckoner named “1275_07.04.2022.rar ” is created, and it contains a LNK file chosen “On the facts of persecution and murder of prosecutors past the Russian military machine in the temporarily occupied territories.lnk.” When opened, this file downloads and launches a malicious payload. CERT-UA attributes this activity to the Russian assault group UAC-0010, aka Armageddon/Gameredon/Primitive Comport.

Other Operations

Earlier, in a like operation, Microsoft seized control of 99 website domains allegedly used by the Iranian threat group Phosphorus in a spear-phishing campaign. The group had targeted journalists and activists throughout the Middle East (see:
Microsoft Takes Command of 99 Websites From APT Group)

In December 2021, Microsoft received a court order from the U.Due south. District Court for the Eastern District of Virginia that granted Microsoft’s request to seize websites used by a China-based threat group called Nickel to gather intelligence from government agencies, think tanks and human rights organizations in the U.Due south. and 28 other countries, according to the company (see:
Microsoft Gets Court Order to Disrupt Chinese Cyber Ops).