Microsoft disrupts ‘Russian nation-state’ cyberattacks on Ukraine


Microsoft says it has observed and taken steps to disrupt cyberattacks by “a Russian nation-state actor” on Ukraine and its allies. The tech giant said it received a court order to take control of seven web domains used by Strontium, an APT group also known as Fancy Bear, which has been linked to Russia’s GRU intelligence agency.

Strontium was using this infrastructure to attack Ukrainian institutions including media, as well as government bodies and foreign policy think tanks in the US and EU. “We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information,” Microsoft said.

Microsoft said its response was part of an initiative to tackle Strontium that began in 2016 and which has established “a legal process that enables us to obtain rapid court decisions for this work”.

The news follows the FBI’s disruption of a botnet operated by another GRU-linked group, Sandworm, indicating a concerted effort to crack down on Russian APTs.

Microsoft Russia Ukraine
Microsoft says it has been tracking the Strontium APT group, and developing legal means to disrupt it, since 2016. (Photo by Jean-Luc Ichard/iStock)

What is GRU and how is it linked to Fancy Bear?

Glavnoye Razvedyvatelnoye Upravlenie, or GRU, is Russia’s military intelligence agency. APT groups including Fancy Bear, also known as APT28 and Strontium, and Sandworm have often been ‘linked’ to GRU, but Western governments have often fallen short of directly connecting them for reasons of diplomacy.

“There’s always a tendency to try to make it a little bit more implicit,” explains Dr Vasileios Karagiannopoulos, director, University of Portsmouth’s Cybercrime Awareness Clinic. “That’s why you have these terms like ‘state-backed’, for example, or groups that are ‘affiliated with the GRU’, not necessarily groups that are Russian military or the Russian government.”

Content from our partners
How should enterprises go about exiting their data centre?

The plan to transform patient outcomes in the Middle East through the use of AI

Why enterprises must prepare for further rise in software supply chain attacks

In 2018, however, the UK’s NCSC concluded that a number of APT groups, including Fancy Bear and Sandworm, are “almost certainly” the GRU itself. And in 2020, the US Department of Justice identified six Russian nationals as members of GRU and charged them with computer crimes that researchers had attributed to these APTs, including the NotPetya malware attack.

These APTs are prolific, says Karagiannopoulos. “Fancy Bear and also Sandworm are two groups that have been linked quite significantly with attacks internationally and in Ukraine,” he explains. “We have seen multiple different tactics such as denial of service attacks [and] data thefts, essentially cyber espionage attacks, which are meant to exfiltrate information that is confidential so they can support the conflict in Ukraine.”

How is the West fighting Russian APTs?

The obscurity under which these APTs operate makes them impossible to fight through usual legal means, says Karagiannopoulos.

“We’re talking about groups that can be active across the globe,” he says. “We don’t even know where these hackers might be located and even if they are located in Russia, for example, how is law enforcement going to extradite them?”

Instead, public and private sector institutions are developing technical and legal mechanisms to disrupt these APTs attacks, Karagiannopoulos explains, and to protect the infrastructure and institutions they target.

Read more: FBI takedown of Cyclops Blink botnet suggests aggressive new stance


Source link