Microsoft disrupts Russia-linked Strontium domains

Strontium is also infamously known as Fancy Bears

Image:
Strontium is also infamously known as Fancy Bears

Microsoft has seized control of seven internet domains, which it says the Strontium hacking group used to launch cyberattacks against Ukrainian institutions, as well as government entities and think tanks in the US and Europe.

Strontium is Microsoft's codename for a hacking group that is linked to Russia's military intelligence agency (GRU) and is also known as Fancy Bear or APT28.

Microsoft Corporate Vice President Tom Burt said the company has been tracking Strontium for years, and recently spotted attacks targeting Ukrainian entities.

The company obtained a court order on Wednesday, 6th April, which authorised it to take down seven internet domains Strontium was using to carry out the attacks.

Since then the firm has redirected these domains to a Microsoft-controlled sinkhole, allowing it to mitigate Strontium's use of the domains and notify victims - including the Ukrainian government.

Microsoft describes the action a part of an ongoing 'long-term investment', which began in 2016, to take legal and technical steps against Strontium's infrastructure. The company says it has established a legal process that allows it to obtain quick court decisions for this exact work.

"Prior to this week, we had taken action through this process 15 times to seize control of more than 100 Strontium controlled domains," said Burt.

Strontium, also known as Fancy Bear and APT28, has been active since 2004. The group has conducted many espionage activities against military entities and defence ministries in multiple countries that have aided Russia's economic and political gains.

The group is also thought to have infiltrated networks belonging to the Democratic National Committee (the governing body of the US Democratic Party) in 2016. Nearly two years after that intrusion, the US Department of Justice linked APT28 with Russia's Main Intelligence Directorate of the Russian General Staff.

The disclosure from Microsoft comes as Facebooks's parent firm Meta revealed this week that Russian state actors are seeking to exploit the social media platform against Ukraine via hacking, deception, and coordinated bullying campaigns.

Meta listed these cybersecurity threats in a quarterly report on Thursday.

Meta's global affairs director, Nick Clegg, claimed the company had dealt with propaganda from state-run media, influence efforts and cyber-espionage.

'Since the start of the Russian invasion of Ukraine, our teams have been on high alert to detect and disrupt threats and platform abuse, including attempts to come back by networks we removed before,' Meta said.

The firm said it took down a network of roughly 200 Facebook accounts in Russia that were working to falsely accuse individuals of breaking Facebook's policies in order to get posts about Ukraine removed and banned.

Meta executives noted they have observed a further increase in attacks by a Russia-linked hacker group known as Ghostwriter since the start of the Ukraine conflict.