Russia’s state-sponsored threat actors’ tools are being disconnected by legal actions one by one. Earlier today, we shared the FBI’s action toward Sandstorm’s C2 servers; disconnecting them from the infected devices. Now, Microsoft obtains a court order to take down domains used by APT28.
Domains are redirected to Microsoft
APT28 group is known as being operated Russian military intelligence service. The group is now targeting Ukraine, as expected. The court order that Microsoft obtained gives the company permission to take the control of 7 domains used by the group. Those domains are being redirected into a sinkhole that is controlled by Microsoft. By doing this, Microsoft will be able to mitigate APT28 operations and notify the victims.

The APT28 group has several names such as Sofacy, Sednit, Pawn Storm, Fancy Bear, Iron Twilight, and Strontium. It is an APT espionage group that has been around since 2009. Their main targets are the media, military, and governments. They attack security-focused international organizations as well. Tom Burt, corporate vice president, and customer security & trust at Microsoft said:
« Strontium was using this infrastructure to target Ukrainian institutions including media organizations. It was also targeting government institutions and think tanks in the United States and the European Union involved in foreign policy. We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information. We have notified Ukraine’s government about the activity we detected and the action we’ve taken »
Microsoft states that APT28’s attacks are just a small part of the activity in Ukraine. All of the Russian state-sponsored threat actors have been attacking Ukrainian targets; even before the invasion.