Microsoft says it has observed and taken steps to disrupt cyberattacks by “a Russian nation-state actor” on Ukraine and its allies. The tech giant said it received a court order to take control of seven web domains used by Strontium, an APT group also known as Fancy Bear, which has been linked to Russia’s GRU intelligence agency.
Strontium was using this infrastructure to attack Ukrainian institutions including media, as well as government bodies and foreign policy think tanks in the US and EU. “We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information,” Microsoft said.
Microsoft said its response was part of an initiative to tackle Strontium that began in 2016 and which has established “a legal process that enables us to obtain rapid court decisions for this work”.
The news follows the FBI’s disruption of a botnet operated by another GRU-linked group, Sandworm, indicating a concerted effort to crack down on Russian APTs.
What is GRU and how is it linked to Fancy Bear?
Glavnoye Razvedyvatelnoye Upravlenie, or GRU, is Russia’s military intelligence agency. APT groups including Fancy Bear, also known as APT28 and Strontium, and Sandworm have often been ‘linked’ to GRU, but Western governments have often fallen short of directly connecting them for reasons of diplomacy.
“There’s always a tendency to try to make it a little bit more implicit,” explains Dr Vasileios Karagiannopoulos, director, University of Portsmouth’s Cybercrime Awareness Clinic. “That’s why you have these terms like ‘state-backed’, for example, or groups that are ‘affiliated with the GRU’, not necessarily groups that are Russian military or the Russian government.”
In 2018, however, the UK’s NCSC concluded that a number of APT groups, including Fancy Bear and Sandworm, are “almost certainly” the GRU itself. And in 2020, the US Department of Justice identified six Russian nationals as members of GRU and charged them with computer crimes that researchers had attributed to these APTs, including the NotPetya malware attack.
These APTs are prolific, says Karagiannopoulos. “Fancy Bear and also Sandworm are two groups that have been linked quite significantly with attacks internationally and in Ukraine,” he explains. “We have seen multiple different tactics such as denial of service attacks [and] data thefts, essentially cyber espionage attacks, which are meant to exfiltrate information that is confidential so they can support the conflict in Ukraine.”
How is the West fighting Russian APTs?
The obscurity under which these APTs operate makes them impossible to fight through usual legal means, says Karagiannopoulos.
"We're talking about groups that can be active across the globe," he says. "We don't even know where these hackers might be located and even if they are located in Russia, for example, how is law enforcement going to extradite them?"
Instead, public and private sector institutions are developing technical and legal mechanisms to disrupt these APTs attacks, Karagiannopoulos explains, and to protect the infrastructure and institutions they target.