- Microsoft disrupted a campaign by the Russian threat actor known as Strontium (APT 28 or Fancy Bear) intent on attacking Ukraine media organizations, as well as U.S. and European Union government agencies and think tanks working in the foreign policy space, the company said Thursday.
- The company obtained a court order on April 6 to seize control of seven internet domains used by Strontium, according to a blog post from Tom Burt, corporate vice president, customer security and trust at Microsoft.
- The domains were redirected to a Microsoft-controlled sinkhole — a server designed to redirect malicious domain traffic — allowing the company to mitigate the activity and notify targets of cyberattacks.
The disruption marks the latest effort by Microsoft to curb Strontium, noting that it has taken similar actions 15 times to seize more than 100 domains used by the threat actor.
Strontium, more widely known in the national security space as Fancy Bear, has been linked to attacks against the U.S. since 2016, when it hacked the Democratic National Committee ahead of the U.S. presidential election.
In 2020, Microsoft disclosed what it called strong evidence of credential harvesting by Strontium against U.S. and U.K. organizations directly involved in political campaigns.
The new assault is the latest in a series of attacks linked to the invasion of Ukraine.
The nation has been hit by numerous malware attacks, involving more than a half dozen malicious wipers that clean data from a targeted system as well as botnet attacks that hijack various devices to compromise computer systems. Microsoft researchers believe the recent campaign sought long term access to target organizations in order to help the war effort against Ukraine and to steal sensitive data.
The Biden administration has been working closely with private industry to collaborate to protect U.S. critical infrastructure leading up to and since the Ukraine invasion in late February.
"Operational collaboration through efforts such as our Joint Cyber Defense Collaborative ensure CISA is receiving and sharing critical information in real time, to help detect emerging threats and prevent other victims from being impacted," a spokesperson for the Cybersecurity and Infrastructure Security Agency told Cybersecurity Dive via email.
The Department of Justice announced Wednesday a court-ordered action to disrupt the Cyclops Blink botnet, which was used by the threat actor known as Sandworm to infect thousands of devices around the world.
Cyclops Blink, originally discovered in late February, was found attacking firewall appliances from WatchGuard Technologies and routers from Asus to attack users. The malware was considered a more destructive version of VPNFilter malware that was deployed by the threat actor in 2018.
The FBI told Cybersecurity Dive in an email it could "neither confirm nor deny the existence of an investigation."
Microsoft said it notified the Ukraine government of the disruption. The State Department did not immediately return requests for comment, nor did Ukraine officials. The European Union Agency for Cybersecurity (ENISA) said it is monitoring the situation closely, but otherwise can’t provide comment.