Microsoft Removes Domains Used For Cyber Attacks On Ukraine

Microsoft has seized domains that it claims were part of ongoing cyber attacks appeared to be perpetrated by Russian advanced persistent threat actors that targeted Ukrainian-related digital access. Microsoft was able to obtain court orders to take over the domains, which it stated were used by Strontium, also known by the names APT28, Fancy Bear and Sofancy.

The court orders enabed Microsoft to take control of the domains  with the goal of neutralizing its attacks on Ukraine. “We recently observed attacks targeting Ukrainian entities from Strontium, a Russian GRU-connected actor we have tracked for years,” said Microsoft in a statement.

Microsoft reported that the domains were used to target organisations such as government institutions, media organisations, foreign policy think tanks and other key industries. Microsoft did not specify how the domains were specifically being abused, beyond identifying those targeted.

Although the specific usage of the domains was not clarified, Microsoft stated that the APT was attempting to establish persistent access to a target’s system that would have likely facilitated a second stage attack. This would have been a harmful attack that included the extraction of information such as credentials.

The APT28, considered to be state-sponsored hackers used by Russian  intelligence service, has been operating since 2009 and this group has worked under various different names  including as Sofacy, Sednit, Strontium, Storm, Iron Twilight, and Pawn as well as Fancy Bear.

“We obtained a court order authorising us to take control of seven internet domains Strontium was using to conduct these attacks,” said Tom Burt, corporate vice president of Customer Security and Trust at Microsoft. “We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications,” Burt said.

Sinkhole is a security term that refers to the redirection of internet traffic from domains, at the domain-server network level, for analysis and mitigation by security researchers. Sinkholes are a method typically used for disrupting the operation of botnets and other malware activities. 

Researchers, said the APT was attempting to establish persistent, or long-term, access to a target’s system. This, they suggested, would facilitate a second stage attack that would likely include extraction of sensitive information such as credentials. “This disruption is part of ongoing long-term investment, started in 2016, to take legal and technical action to seize infrastructure being used by Strontium. We have established a legal process that enables us to obtain rapid court decisions for this work,” Microsoft said.

Prior to this, Microsoft seized 91 malicious domains as part of 15 separate court orders against what it asserts are Russian-language threat groups going as far back as 2014.

The use of court orders to obtain a temporary restraining order against those identified as behind the malicious domains has been the main method that Microsoft has used to disrupt malicious campaigns. The court order shuts down the malicious activity and gives Microsoft the legal authority to reroute traffic to domains Microsoft controls.

Researchers often work with hosting providers to reroute traffic from malicious domains to ones controlled by the researchers or by law enforcement, helping to cut off the lifeline of the criminal operations and allow for a forensic analysis of traffic used to establish the source, nature and scope of an attack. “The Strontium attacks are just a small part of the activity we have seen in Ukraine. Before the Russian invasion, our teams began working around the clock to help organisations in Ukraine, including government agencies, defend against an onslaught of cyber warfare that has escalated since the invasion began and has continued relentlessly." according to Microsoft.

“Since then, we have observed nearly all of Russia’s nation-state actors engaged in the ongoing full-scale offensive against Ukraine’s government and critical infrastructure, and we continue to work closely with government and organisations of all kinds in Ukraine to help them defend against this onslaught... In the coming weeks we expect to provide a more comprehensive look at the scope of the cyberwar in Ukraine,” says Microsoft’s blog.

Microsoft:      The Hacker News:      Threatpost:     Oodaloop:     PCGamer:     Security Boulevard

You Might Also Read: 

US Sanctions Russia In Retaliation For Cyber Attacks:

 

« EU Officials Targeted with Pegasus Spyware
Police Shut Down RaidForums Hackers »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Synovum

Synovum

Synovum was formed with the intention to provide high quality advice, consultancy, training and project management services to clients in all sectors of industry.

Hack Miami

Hack Miami

HackMiami is the premier resource in South Florida for highly skilled hackers that specialize in vulnerability analysis, penetration testing, digital forensics, and all manner of IT security.

Canadian Centre for Cyber Security (CCCS)

Canadian Centre for Cyber Security (CCCS)

The Cyber Centre is the single unified source of expert advice, guidance, services and support on cyber security for government, critical infrastructure, the private sector and the public.

Arcanum Information Security (AIS)

Arcanum Information Security (AIS)

Arcanum Information Security is a specialist Information Assurance Consultancy and a leading provider of Cyber Security services to UK Defence, UK Government, Enterprise businesses and SMEs.

Blockchain Slovakia

Blockchain Slovakia

Blockchain Slovakia is a non-profit organization that brings together researchers, developers, entrepreneurs, regulators, investors and the public to support blockchain technology in Slovakia.

achelos

achelos

achelos is an independent software development company providing innovative technical solutions for micro-processor chips / security chips and embedded systems in security-critical application fields.

Sera-Brynn

Sera-Brynn

Sera-Brynn is one of the highest-ranked, pure-play cybersecurity compliance and advisory firms in the world.

Synectics Solutions

Synectics Solutions

Synectics deliver solutions for reducing risk, combating financial crime, and enabling organisations to meet their compliance and regulatory commitments.

Crypto International

Crypto International

Crypto International offers comprehensive services for the operation of our customers’ IT and communication infrastructure, with a focus on cybersecurity and encryption solutions.

BridgingMinds Network

BridgingMinds Network

BridgingMinds Network is an industry leading best practices and IT security training provider in Singapore.

Core to Cloud

Core to Cloud

Core to Cloud provide consultancy and technical support for the planning and implementation of sustainable security strategies.

Intelequia

Intelequia

Intelequia SOC is the Security Operations Center your company needs. 24x7 monitoring, protection and automated response to cyber threats.

NETAND

NETAND

NETAND privileged access and identity management solutions will secure your business from cyber threats.

Nexer

Nexer

Nexer is a modern tech company with expertise in strategy, technology and communication with a strong vision.

Cyberlocke

Cyberlocke

Cyberlocke is dedicated to finding inventive solutions to meet the distinct IT obstacles of each organization we support.

LEPHISH

LEPHISH

LePhish is a French cybersecurity solution specializing in automated phishing campaigns.