Microsoft seized 7 domains it says were part of ongoing cyber-attacks by what it stated are state-sponsored Russian Advanced Persistent Threat players that targeted Ukrainian-related digital assets.
The APT28 (Advanced Persistence Threat) operated since 2009. This group has worked under various names e.g. Sofacy, Sednit, Strontium Storm, Fancy Bear, Iron Twilight, & Pawn.
Court Orders
The company obtained court orders to take control of the domains it explained were used by Strontium, also known as APT28, Sofacy, Fancy Bear & Sednit. In a blog post outlining the actions, Microsoft reported attackers used the domains to target Ukrainian media organisations, govt. institutions & foreign policy think tanks based in the US & Europe.
“We obtained a court order authorising us to take control of 7 internet domains Strontium was using to conduct these attacks, “outlined Tom Burt, Corporate VP of Customer Security & Trust at Microsoft.
Security Expression
‘Sinkhole’ is a security expression that refers to the redirection of internet traffic from domains, at the domain-server network level, by security researchers for analysis & mitigation. Microsoft did not specify how the domains were specifically being abused, beyond identifying those targeted.
“We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains & enable victim notifications,” Burt revealed.
2nd Stage Attack
Researchers outlined that the APT was attempting to establish persistent, or long-term, access to a target’s system. This, they suggested, would facilitate a 2nd stage attack that would likely include extraction of sensitive information such as credentials.
“This disruption is part of ongoing long-term investment, started in 2016, to take legal & technical action to seize infrastructure being used by Strontium. We have established a legal process that enables us to obtain rapid court decisions for this work,” Microsoft observed.
Sinkhole History
Before this, Microsoft seized 91 malicious domains as part of 15 separate court orders against what it says are Russian-language threat groups, dating back to Aug. 2014.
The use of using the courts to obtain a temporary restraining order against those identified as behind the malicious domains has been the major method that Microsoft has used to disrupt malicious campaigns. A court order shuts down the malicious activity & gives Microsoft the legal authority to re-route traffic to domains Microsoft controls.
Sinkholes are a tested & accepted method for disrupting the operation of botnets & other malware enterprises & are used in numerous ways.
Hosting Providers
Researchers often will work with hosting providers to re-route traffic from malicious domains to ones controlled by the researchers, or by law enforcement, helping to cut off this centrepiece of criminal operations & allow for a forensic analysis of traffic used to establish the source, nature & scope of an attack.
In the case of APT28, in 2016 the US Federal Bureau of Investigation (FBI) & the US Department of Homeland Security (DHS) implicated this hacking group in attacks against US election-related targets.
Belarusian
Recently, Strontium is thought to have paired up with Belarusian hacking group ‘Ghostwriter’ to launch phishing attacks targeting Ukrainian officials, stated Google. European satellite services have also been targeted by unverified threat players as part of a growing cyber offensive designed to harm Ukraine.
