Microsoft has claimed partial success at disrupting a prolific Russian APT group as it targeted Ukrainian entities this week but warned of a “full-scale offensive” in cyberspace.
Strontium (aka APT28) has been linked to Russia’s main intelligence agency, the GRU, and was involved in many politically motivated attacks, including the hacking and leaking of Democratic Party officials’ emails ahead of the 2016 US Presidential election.
The group was observed targeting Ukrainian institutions, including media organizations, as well as foreign policy government bodies and think tanks in the US and Europe, according to Microsoft corporate vice president of customer security and trust, Tom Burt.
“We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information,” he added. “We have notified Ukraine’s government about the activity we detected and the action we’ve taken.”
That action involved disrupting the infrastructure used by APT28 to achieve its ends.
“On Wednesday April 6, we obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these attacks,” Burt explained. “We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications.”
Microsoft has established a fast-track legal process for gaining court approval for its takedown efforts. Before this week, it used this process 15 times to take control of more than 100 Strontium-controlled domains, Burt said.
However, it’s a constant game of whack-a-mole, with APT28 sure to switch to alternative infrastructure to continue its campaign.
Interestingly, Burt claimed that “nearly all of Russia’s nation-state actors” are now engaged in a full-scale attack on Ukrainian critical infrastructure and government. It’s unclear what ends these attacks seek to achieve, but multiple destructive malware variants have been discovered since the start of the war.
However, that narrative is slightly at odds with GCHQ’s take on Russia’s cyber operations. Director of the spy service, Jeremy Fleming, said last week that the Kremlin is not looking to achieve a catastrophic “Cyber Pearl Harbor” event.