Ukraine has been a besieged country since February, whether it be on the streets of Kyiv or in cyberspace. Even as Russia’s membership in the UN Human Rights Council has been revoked and NATO and the US have pledged more troops to Kyiv, Microsoft informed that it has observed numerous hacking attempts by Russian military spies.
It seems that the spies were targeting Ukrainian institutions (such as media organizations), and American, and European Union government bodies and think tanks that are involved in foreign policy. However, their designs were foiled as Microsoft has successfully disrupted the attempts at hacking.
Microsoft confirmed the same in a blog post, stating that it observed recent attacks that targeted Ukrainian entities from a group it has been tracking for years.
The group in question has been nicknamed “Strontium,” which others also call Fancy Bear or APT-28. Strontium seems to be connected to the Glavnoye Razvedyvatelnoye Upravlenie (GRU), which is Russia’s military intelligence agency.
This is not the first time that Microsoft has crossed paths with Strontium. It began in 2016 when Microsoft started taking legal and technical action to seize infrastructure being used by Strontium. In that effect, it also established a legal process that enabled the company to obtain rapid court decisions. Apart from the recent attempts, Microsoft has so far seized control of over 100 Strontium-controlled domains and taken action through the process 15 times.
In order to thwart the attempts at hacking, Microsoft obtained a court order that authorized the company to take control of seven internet domains that were being Strontium used to conduct the attacks. Since then, Microsoft has re-directed the domains to a sinkhole controlled by the company, something that has enabled the company to mitigate Strontium’s current use of the domains and enable victim notifications.
The exact reason behind the hacking attempts is not known, but Microsoft surmises that the group was trying to establish long-term access to the systems of its targets, provide tactical support for the physical invasion of Russia, and exfiltrate sensitive information. The Ukrainian government has been notified of the developments.
Since the invasion began, cyber-attacks against Ukraine by Russia have intensified. In fact, Microsoft has observed “nearly all of Russia’s nation-state actors engaged in the ongoing full-scale offensive against Ukraine’s government and critical infrastructure”, and continues to work closely with government and organizations of all kinds in Ukraine to help them defend themselves.