Microsoft has removed seven domains used by the Russian hacker group APT28 for cyberattacks. Thus, it thwarted attacks against Ukraine coordinated by this group. Strontium hackers, also known as Fancy Bear or APT28, work with Russia’s Central Intelligence Agency (GRU). They used domains to attack numerous Ukrainian organizations, including the media.

“On Wednesday, April 6th, we obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these attacks,” said Tom Burt, Corporate Vice President of Customer Security & Trust at Microsoft. 

The company believes that Strontium intended to establish long-term access to the systems planned for the attack, provide tactical support for Russia’s physical invasion and withdraw confidential information. Microsoft also warned the Ukrainian government about the malicious activities of hackers and thwarted attempts to compromise the Ukrainian organizations that were planned to attack.

Microsoft has previously filed 15 lawsuits against another group backed by Russia. This led to the capture of 91 malicious domains. 

“This disruption is part of an ongoing long-term investment, started in 2016, to take legal and technical action to seize infrastructure being used by Strontium. We have established a legal process that enables us to obtain rapid court decisions for this work,” added Tom Burt.  

In addition to attacks on Ukraine, remote APT28 domains were also used to attack US and EU government institutions and think tanks involved in foreign policy. The hacker group has been working on behalf of the Russian GRU since at least 2004. It is linked to cyber espionage by governments around the world including APT28 responsible for the attack on the German Bundestag in 2015, hacker attacks on US structures in 2018, and on individual members of the presidential campaign of Hillary Clinton. The EU has already imposed sanctions on many members of the group for their involvement in the attack on the Bundestag.