Microsoft Removes Domains Used For Cyber Attacks On Ukraine

Uploaded on 2022-04-20 in NEWS-News Analysis, INTELLIGENCE-Hot Spots-Russia, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Microsoft has seized domains that it claims were part of ongoing cyber attacks appeared to be perpetrated by Russian advanced persistent threat actors that targeted Ukrainian-related digital access. Microsoft was able to obtain court orders to take over the domains, which it stated were used by Strontium, also known by the names APT28, Fancy Bear and Sofancy.

The court orders enabed Microsoft to take control of the domains  with the goal of neutralizing its attacks on Ukraine. “We recently observed attacks targeting Ukrainian entities from Strontium, a Russian GRU-connected actor we have tracked for years,” said Microsoft in a statement.

Microsoft reported that the domains were used to target organisations such as government institutions, media organisations, foreign policy think tanks and other key industries. Microsoft did not specify how the domains were specifically being abused, beyond identifying those targeted.

Although the specific usage of the domains was not clarified, Microsoft stated that the APT was attempting to establish persistent access to a target’s system that would have likely facilitated a second stage attack. This would have been a harmful attack that included the extraction of information such as credentials.

The APT28, considered to be state-sponsored hackers used by Russian  intelligence service, has been operating since 2009 and this group has worked under various different names  including as Sofacy, Sednit, Strontium, Storm, Iron Twilight, and Pawn as well as Fancy Bear.

“We obtained a court order authorising us to take control of seven internet domains Strontium was using to conduct these attacks,” said Tom Burt, corporate vice president of Customer Security and Trust at Microsoft. “We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications,” Burt said.

Sinkhole is a security term that refers to the redirection of internet traffic from domains, at the domain-server network level, for analysis and mitigation by security researchers. Sinkholes are a method typically used for disrupting the operation of botnets and other malware activities. 

Researchers, said the APT was attempting to establish persistent, or long-term, access to a target’s system. This, they suggested, would facilitate a second stage attack that would likely include extraction of sensitive information such as credentials. “This disruption is part of ongoing long-term investment, started in 2016, to take legal and technical action to seize infrastructure being used by Strontium. We have established a legal process that enables us to obtain rapid court decisions for this work,” Microsoft said.

Prior to this, Microsoft seized 91 malicious domains as part of 15 separate court orders against what it asserts are Russian-language threat groups going as far back as 2014.

The use of court orders to obtain a temporary restraining order against those identified as behind the malicious domains has been the main method that Microsoft has used to disrupt malicious campaigns. The court order shuts down the malicious activity and gives Microsoft the legal authority to reroute traffic to domains Microsoft controls.

Researchers often work with hosting providers to reroute traffic from malicious domains to ones controlled by the researchers or by law enforcement, helping to cut off the lifeline of the criminal operations and allow for a forensic analysis of traffic used to establish the source, nature and scope of an attack. “The Strontium attacks are just a small part of the activity we have seen in Ukraine. Before the Russian invasion, our teams began working around the clock to help organisations in Ukraine, including government agencies, defend against an onslaught of cyber warfare that has escalated since the invasion began and has continued relentlessly." according to Microsoft.

“Since then, we have observed nearly all of Russia’s nation-state actors engaged in the ongoing full-scale offensive against Ukraine’s government and critical infrastructure, and we continue to work closely with government and organisations of all kinds in Ukraine to help them defend against this onslaught... In the coming weeks we expect to provide a more comprehensive look at the scope of the cyberwar in Ukraine,” says Microsoft’s blog.

Microsoft:      The Hacker News:      Threatpost:     Oodaloop:     PCGamer:     Security Boulevard

You Might Also Read: 

US Sanctions Russia In Retaliation For Cyber Attacks:

 

« EU Officials Targeted with Pegasus Spyware
Police Shut Down RaidForums Hackers »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Cyber Senate

Cyber Senate

Cyber Senate is dedicated to bringing Operators of Essential Services together with global subject matter experts to address the challenges of evolving cyber threats to critical infrastructure.

Netteam

Netteam

Netteam designs, implements and services networking solutions for companies of all sizes.

Swiss Re

Swiss Re

Swiss Re Group is a leading wholesale provider of reinsurance, insurance and other insurance-based forms of risk transfer including cyber risk.

Phirelight Security Solutions

Phirelight Security Solutions

Phirelight empowers an enterprise to easily understand how their networks behave, while at the same time assessing and managing cyber threats in real time.

SIGA

SIGA

SIGA provides cyber security solutions for Industrial Control Systems SCADA systems used in critical infrastructures and industrial processes.

Lynx Technology Partners

Lynx Technology Partners

Lynx Technology Partners is a full service, full life-cycle risk-based security consulting firm.

Nemko

Nemko

Nemko offers testing, inspection, and certification services worldwide, mainly concerning products and systems, but also for machinery, installations, and personnel.

DMARC360

DMARC360

DMARC360 analyzes your email traffic patterns and sources, rapidly deploys email authentication protocols and monitors your email domains with automated recommendations and incident response.

PricewaterhouseCoopers (PwC)

PricewaterhouseCoopers (PwC)

PricewaterhouseCoopers is a multinational professional services network of firms headquartered in London, United Kingdom and operating in 157 countries.

PreEmptive Solutions

PreEmptive Solutions

PreEmptive Protection hit the sweet spot between cost, convenience and functionality by helping you protect and secure your apps in a smarter way.

Edureka

Edureka

Edureka is an online technology training provider with the most effective learning system in the world. We help professionals learn trending technologies for career growth.

Iris Powered by Generali

Iris Powered by Generali

Iris Powered by Generali is an identity theft resolution provider. Our offering combines expert assistance and support with user-friendly identity protection technology.

HiSolutions

HiSolutions

HiSolutions is a renowned consulting firms for IT governance, risk & compliance in Germany, combining highly specialized know-how in the field with profound process competence.

Unified National Networks (UNN)

Unified National Networks (UNN)

UNN’s mission is to unify the national networks and create a modern and cost efficient digital platform connecting the entire country.

Jera IT

Jera IT

Jera IT provide fully managed IT support, cybersecurity services, telecoms systems, and IT strategy consultancy to businesses based in Aberdeen and the surrounding area.

Defimoon

Defimoon

DeFimoon is the International Blockchain Development & Security Agency. We provide professional services and solutions at the highest quality on world-leading chains.