Microsoft Takes Down Domains Used in Cyberattack Against Ukraine

The APT28 (Advanced persistence threat) is operating since 2009, this group has worked under different names such as Sofacy, Sednit, Strontium Storm, Fancy Bear, Iron Twilight, and Pawn.

Microsoft seized seven domains it claims were part of ongoing cyberattacks by what it said are state-sponsored Russian advanced persistent threat actors that targeted Ukrainian-related digital assets.

The company obtained court orders to take control of the domains it said were used by Strontium, also known as APT28, Sofacy, Fancy Bear and Sednit. In a blog post outlining the actions, Microsoft reported attackers used the domains to target Ukrainian media organizations, government institutions and foreign policy think tanks based in the U.S. and Europe.

“We obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these attacks,” said Tom Burt, corporate vice president of Customer Security and Trust at Microsoft.

Sinkhole is a security term that refers to the redirection of internet traffic from domains, at the domain-server network level, by security researchers for analysis and mitigation. Microsoft did not specify how the domains were specifically being abused, beyond identifying those targeted.

“We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications,” Burt said.

Researchers, said the APT was attempting to establish persistent, or long-term, access to a target’s system. This, they suggested, would facilitate a second stage attack that would likely include extraction of sensitive information such as credentials.

“This disruption is part of ongoing long-term investment, started in 2016, to take legal and technical action to seize infrastructure being used by Strontium. We have established a legal process that enables us to obtain rapid court decisions for this work,” Microsoft said.

Sinkhole History

Prior to this, Microsoft seized 91 malicious domains as part of 15 separate court orders against what it asserts are Russian-language threat groups, dating back to August 2014.

The use of going through the courts to obtain a temporary restraining order against those identified as behind the malicious domains has been the main method that Microsoft has used to disrupt malicious campaigns. The court order shuts down the malicious activity and gives Microsoft the legal authority to reroute traffic to domains Microsoft controls.

Sinkholes are a time-tested and accepted method for disrupting the operation of botnets and other malware enterprises and are used in a variety of ways. Researchers often will work with hosting providers to reroute traffic from malicious domains to ones controlled by the researchers or by law enforcement, helping to cut off the lifeline of the criminal operations and allow for a forensic analysis of traffic used to establish the source, nature and scope of an attack.

In the case of APT28, in 2016 the Federal Bureau of Investigation and the US Department of Homeland Security implicated the hacking group in attacks against several U.S. election-related targets.

More recently, Strontium is believed to have teamed up with Belarusian hacking group Ghostwriter to launch phishing attacks targeting Ukrainian officials, according to Google. European satellite services have also been targeted by unverified threat actors as part of an escalating cyber offensive designed to hurt Ukraine.


Reported By: Sagar Tiwari, an independent security researcher and technical writer.

Suggested articles