Microsoft Goes After Russian Fake Domains Hitting Ukrainians

Microsoft says that it is doing its part to help Ukraine defend against the Russian invasion. Microsoft is doing so by blocking internet domains that the company says Russia has been using to attack Ukrainian internet traffic and hack systems in the country.

In a blog post, Microsoft explained that the company has recently observed attacks targeting Ukrainian entities from Strontium, a Russian GRU-connected actor that it has tracked for years. Microsoft boasted that this past week it was able to disrupt some of Strontium’s attacks on targets in Ukraine.

“On Wednesday April 6th, we obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these attacks,” said Microsoft. “We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications.”

Strontium was using this infrastructure to target Ukrainian institutions including media organizations, asserted Microsoft. It was also targeting government institutions and think tanks in the United States and the European Union involved in foreign policy.

“We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information,” said the company. “We have notified Ukraine’s government about the activity we detected and the action we’ve taken.”

Microsoft added that the Strontium attacks are just a small part of the activity that it has seen in Ukraine. Before the Russian invasion, Microsoft teams began working around the clock to help organizations in Ukraine, including government agencies, defend against what the company described as an onslaught of cyberwarfare that has “escalated since the invasion began and has continued relentlessly.”

“Since then,” says Microsoft, “we have observed nearly all of Russia’s nation-state actors engaged in the ongoing full-scale offensive against Ukraine’s government and critical infrastructure, and we continue to work closely with government and organizations of all kinds in Ukraine to help them defend against this onslaught. In the coming weeks we expect to provide a more comprehensive look at the scope of the cyberwar in Ukraine.”