View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
April 8, 2022updated 06 Jul 2022 4:55am

Microsoft disrupts ‘Russian nation-state’ cyberattacks on Ukraine

Crackdown on Russian APTs continues as Microsoft disrupts cyberattacks on Ukraine.

By Sophia Waterfield

Microsoft says it has observed and taken steps to disrupt cyberattacks by “a Russian nation-state actor” on Ukraine and its allies. The tech giant said it received a court order to take control of seven web domains used by Strontium, an APT group also known as Fancy Bear, which has been linked to Russia’s GRU intelligence agency.

Strontium was using this infrastructure to attack Ukrainian institutions including media, as well as government bodies and foreign policy think tanks in the US and EU. “We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information,” Microsoft said.

Microsoft said its response was part of an initiative to tackle Strontium that began in 2016 and which has established “a legal process that enables us to obtain rapid court decisions for this work”.

The news follows the FBI’s disruption of a botnet operated by another GRU-linked group, Sandworm, indicating a concerted effort to crack down on Russian APTs.

Microsoft Russia Ukraine
Microsoft says it has been tracking the Strontium APT group, and developing legal means to disrupt it, since 2016. (Photo by Jean-Luc Ichard/iStock)

What is GRU and how is it linked to Fancy Bear?

Glavnoye Razvedyvatelnoye Upravlenie, or GRU, is Russia’s military intelligence agency. APT groups including Fancy Bear, also known as APT28 and Strontium, and Sandworm have often been ‘linked’ to GRU, but Western governments have often fallen short of directly connecting them for reasons of diplomacy.

“There’s always a tendency to try to make it a little bit more implicit,” explains Dr Vasileios Karagiannopoulos, director, University of Portsmouth’s Cybercrime Awareness Clinic. “That’s why you have these terms like ‘state-backed’, for example, or groups that are ‘affiliated with the GRU’, not necessarily groups that are Russian military or the Russian government.”

In 2018, however, the UK’s NCSC concluded that a number of APT groups, including Fancy Bear and Sandworm, are “almost certainly” the GRU itself. And in 2020, the US Department of Justice identified six Russian nationals as members of GRU and charged them with computer crimes that researchers had attributed to these APTs, including the NotPetya malware attack.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

These APTs are prolific, says Karagiannopoulos. “Fancy Bear and also Sandworm are two groups that have been linked quite significantly with attacks internationally and in Ukraine,” he explains. “We have seen multiple different tactics such as denial of service attacks [and] data thefts, essentially cyber espionage attacks, which are meant to exfiltrate information that is confidential so they can support the conflict in Ukraine.”

How is the West fighting Russian APTs?

The obscurity under which these APTs operate makes them impossible to fight through usual legal means, says Karagiannopoulos.

"We're talking about groups that can be active across the globe," he says. "We don't even know where these hackers might be located and even if they are located in Russia, for example, how is law enforcement going to extradite them?"

Instead, public and private sector institutions are developing technical and legal mechanisms to disrupt these APTs attacks, Karagiannopoulos explains, and to protect the infrastructure and institutions they target.

Read more: FBI takedown of Cyclops Blink botnet suggests aggressive new stance

Topics in this article : , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.