Microsoft takes down APT28 domains targeting Ukraine with a court order

The court order stopped Russian hacker domains used in organized attacks against Ukraine

Russian hacker operations against Ukraine were interrupted by Microsoft

Microsoft disrupted attacks against Ukrainian targets organized by the Russian APT28 group. Seven domains related to the attacks and used by the infrastructure got taken down.^[1] State-sponsored hacker group is operating by military intelligence service, and the goal of the court order obtained by Microsoft was to neutralize these cyber attacks on Ukraine.^[2]

The Fancy Bear/ Strontium/ APT28 hacker group^[3] is linked to various state-backed attacks, and these recent attacks were used to target multiple Ukrainian institutions like media organizations and humanitarian institutions. These same domains were apparently used to attack the EU and US government institutions.

The Vice President of Customer security & Trust at Microsoft, Tom Burt, stated:

On Wednesday, April 6th, we obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these attacks

The group was focused on maintaining the long-term persistence and access so sensitive information could be exfiltrated. These domains have been taken down and redirected to a sinkhole controlled directly by Microsoft. The use of these domains can be mitigated by the company and victim notifications can be enabled.

Meta also takes action against groups attacking Ukraine. Taking down accounts, blocking domains of government-linked hacker teams, and even disrupting the Ghostwriter group. The hacker team tried to break into the Facebook accounts related to Ukrainian military personnel.

Multiple cases of attacks targeting governments

Microsoft has already filed 15 cases related to the Russian-backed threat group.^[4] These hackers suffered when the 91 malicious domains related to their operations got seized. This particular disruption of their operations is only a part of the long-term actions against the infrastructure. There are legal processes that enable researchers to obtain crout decisions to justify these takedowns.

This disruption is part of an ongoing long-term investment, started in 2016, to take legal and technical action to seize infrastructure being used by Strontium

This APT28 group has been active since at least 2004 and operates on behalf of Russia's General Staff Main Intelligence Directorate. Various cyber espionage campaigns and malware deployment attacks have been released by these hackers. They have targeted governments worldwide. There are hackers responsible for incidents in Germany, hacks aimed at individuals of the Clinton Campaign in 2018.

Russian wiper malware blamed for Viasat cyber attack

The US satellite communication provider recently had an accident that triggered the outage of service across central and eastern Europe.^[5] It was speculated at first that the incident was related to the wiper malware, and newly released research confirms these details about the cybersecurity attack. The attack led to disconnected remote access to about 5,800 wind turbines across Germany too.

The wiper malware named AcidRain is designed to remotely erase modems and routers that can be vulnerable and accessed. The generic malware is related to the user in Italy with the name ukorp, allegedly meaning Ukraine operation. This virus can attempt to destroy data on various storage devices. It is wiping these processes, and it can make devices inoperable.

There are no particular reports that could confirm, but the functionality of this malware has many similar features to another virus attributed to the Russian-backed group Fancy Bear or the APT28 hacking group. FBI linked the VPNFilter malware with these state-sponsored hackers before. This AcidRain malware has been the seventh strain of particular wiper virus targeting Ukraine since February 24th – the start of Russia's invasion.