Microsoft seized domains used by APT28 for attacks on Ukraine

Microsoft has successfully thwarted malicious operations carried out against Ukraine by the APT28 group, linked by Western information security experts with Russian special services. The tech giant gained control over seven domains that are part of the malicious infrastructure.

APT28 (aka Strontium and Fancy Bear) used domains disabled by Microsoft to attack many Ukrainian organizations, including the media, as well as American and European government agencies and scientific organizations.

“On Wednesday, April 6, we received a court order authorizing us to seize control of seven Internet domains used by Strontium to carry out attacks. Since then, we have redirected these domains to Microsoft’s sinkhole (“funnel”, a server controlled by specialists – ed.), which allowed us to prevent their use by the Strontium group and notify the victims,” said Tom Burt, Microsoft corporate Vice President for Security and Trust.

Microsoft also notified the government of Ukraine about the malicious activity of the group and the disruption of its hacking operations of Ukrainian organizations.

Prior to this operation, in August 2018, Microsoft opened 15 other cases against APT28, which eventually led to the company gaining control over 91 malicious domains.

“This shutdown is part of an ongoing campaign launched in 2016, within the framework of which legal and technical measures are being taken to withdraw the infrastructure used by Strontium. We have organized a legal process that allows us to quickly obtain court permits for this,” Bert explained.