• by Laurie Sullivan , April 8, 2022

Microsoft has seized domains used by APT28, a state-sponsored group operated by Russian military intelligence to target companies in Ukraine.

On Thursday, Microsoft reported it had recently observed attacks targeting Ukrainian companies from Strontium, a Russian GRU-connected actor it has tracked for years. This week the company managed to disrupt some of Strontium’s attacks on Ukrainian targets.

"We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information,” stated Tom Burt, Microsoft's vice president for customer security.

Microsoft obtained a court order on April 6, authorizing it to take control of seven internet domains that Strontium used to conduct these attacks, and then redirected these domains to a “sinkhole” controlled by Microsoft. This enabled Microsoft to mitigate Strontium’s current use of these domains and notify the victims.

The move is part of an ongoing investigation by Microsoft that began in 2016.

Prior to this week, Microsoft took action through this process 15 times to seize control of more than 100 Strontium-controlled domains controlled by the Russian group.

These attacks were expected, as the UK government notes, following the distributed denial of service (DDoS) attacks against the Ukrainian banking system on February 15 and 16, 2022 that involved the Russian Main Intelligence Directorate (GRU).