Microsoft seized seven domains it claims were part of ongoing cyberattacks by what it said are state-sponsored Russian advanced persistent threat actors that targeted Ukrainian-related digital assets.
The company obtained court orders to take control of the domains it said were used by Strontium, also known as APT28, Sofacy, Fancy Bear and Sednit. In a blog post outlining the actions, Microsoft reported attackers used the domains to target Ukrainian media organizations, government institutions and foreign policy think tanks based in the U.S. and Europe.
“We obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these attacks,” said Tom Burt, corporate vice president of Customer Security and Trust at Microsoft.
Sinkhole is a security term that refers to the redirection of internet traffic from domains, at the domain-server network level, by security researchers for analysis and mitigation. Microsoft did not specify how the domains were specifically being abused, beyond identifying those targeted.
“We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications,” Burt said.
Researchers, said the APT was attempting to establish persistent, or long-term, access to a target’s system. This, they suggested, would facilitate a second stage attack that would likely include extraction of sensitive information such as credentials.
“This disruption is part of ongoing long-term investment, started in 2016, to take legal and technical action to seize infrastructure being used by Strontium. We have established a legal process that enables us to obtain rapid court decisions for this work,” Microsoft said.
Microsoft Takes Down Domains Used in Cyberattack Against Ukraine
Microsoft steps up defensive actions to ‘defend against an onslaught of cyberwarfare that has escalated since the invasion’ of Ukraine.
threatpost.com