Microsoft Shuts Down Six APT28 Phishing Domains

Microsoft claims to have shut down six phishing domains associated with an infamous Kremlin-sponsored group linked to 2016 presidential election interference, as tensions rise ahead of the mid-terms in November.

In a lengthy blog post, president Brad Smith said that Microsoft has increasingly been called upon to disrupt activity from the group, which was blamed by intelligence services for the theft and subsequent dissemination of sensitive Democratic Party data in the run up to the last presidential election.

“Microsoft’s Digital Crimes Unit (DCU) successfully executed a court order to disrupt and transfer control of six internet domains created by a group widely associated with the Russian government and known as Strontium, or alternatively Fancy Bear or APT28,” he explained. “We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group.”

However, although Smith placed the shut down activity in the context of potential election interference ahead of the 2018 mid-terms, the domains themselves are non-partisan.

“One appears to mimic the domain of the International Republican Institute, which promotes democratic principles and is led by a notable board of directors, including six Republican senators and a leading senatorial candidate,” he continued. “Another is similar to the domain used by the Hudson Institute, which hosts prominent discussions on topics including cybersecurity, among other important activities. Other domains appear to reference the US Senate but are not specific to particular offices.”

To help repel the threat, Microsoft has announced a new initiative, AccountGuard, designed to provide “state-of-the-art” protection to all candidates and campaign offices at the federal, state and local level, as well as think tanks and political organizations.

The offering features threat notifications, user education and guidance and early adopter opportunities.

Experts welcomed the move but cautioned that it would do little to disrupt any Russian state-backed cyber-espionage.

“Though APT28 has leveraged data gathered from intrusions to carry out active measures, such as targeted leaks through false personas, incidents of this nature do not necessarily signify such an operation,” argued FireEye director of threat intelligence, John Hultquist. “In fact, the principal focus of APT28 has always been quiet intelligence collection for the decision advantage of its sponsors — the Russian military and policymakers.” 

F-Secure security advisor, Sean Sullivan, welcomed the new product offering, but said the discussion of the 2018 mid-terms threatens to overwhelm the bigger picture.

“The focus on think tanks holding pro-sanction views on Russia’s current regime is about espionage. In short: spies are going to spy,” he claimed. “That’s true whether or not it’s an election year. There seems to be a rush to conclude that these six domains are part of an ‘attack’ on the elections that risks missing the complete threat model — and therefore the complete countermeasures that should be taken.”

Dtex Systems CEO, Christy Wyatt, added that the shut downs are a mere drop in the ocean.

“Assessments we conducted as part of our 2018 Insider Threat Intelligence Report revealed that 67% of organizations had instances of employees visiting high risk websites, which is exactly what the sites Microsoft identified are,” she said.

What’s Hot on Infosecurity Magazine?