Microsoft defeats Russia’s strontium allies attacking Ukraine

Microsoft defeats Russia’s strontium allies attacking Ukraine

Need additional evidence that private organizations are playing a decisive role in slowing down and preventing nation-state cyberattacks? Just look at the actions Microsoft recently took to disrupt Russian GRU-connected Strontium attacks against Ukrainian targets.

Tom Burt, corporate vice president of customer service at Microsoft, blogged mail that the tech giant had obtained a court order allowing it to seize seven internet domains used by Strontium to carry out attacks against Ukrainian institutions, including the media.

“We have since redirected these domains to a Microsoft-controlled sinkhole, allowing us to mitigate Strontium’s current use of these domains and enable victim notifications,” Burt said, noting that the group was also attacking government institutions and think tanks involved in foreign policy and located in the US.

“The outcome of every war is defined by achieving many small victories; in this case, Microsoft took active steps to disrupt attacks on Ukrainian targets and is showing why we have not been as successful in attacking Russia as in previous conflicts,” said John Bambenek, Principal Threat Hunter at Netenrich. “The Russian playbook is quite well known and many organizations are collaborating to minimize or eliminate the impact these threat actors may have on Ukraine or affiliated entities.”

Strontium has been a formidable presence for years. “In 2014, Strontium attempted to compromise members of the Ukrainian military-linked Army SOS volunteer group through targeted phishing messages that led to the installation of malware called ‘Network Bridge,’” said Austin Merrit, Threat Intelligence Analyst cybernetics in Digital Shadows. “The group is also known to develop its own tools and exploit zero-day vulnerabilities.”

Because it is an extension of Russia’s GRU, “Strontium probably gets a lot of its orders and targets from the Kremlin,” Merrit said. “As the war in Ukraine drags on and Russia is forced to shift its original military objectives, nation-state groups like Strontium may launch more disruptive cyberattacks targeting Ukraine’s infrastructure, government, and media sectors. Ukraine”.

The Microsoft team believes that Strontium’s goal this time was to gain long-term access to victims’ systems and even support physical invasion and extract sensitive information. Microsoft began its efforts to disrupt nation-state actors just six years ago, and this most recent action shows how effective a private company’s contribution can be in the war against cyberattacks and the threat actors behind them. It also points out the importance of creating a framework to quickly deal with these threats in court.

“We have established a legal process that allows us to obtain speedy court decisions for this work,” Burt wrote. “Prior to this week, we had taken action through this process 15 times to take control of over 100 domains controlled by Strontium.”

That legal process is key. “Three things stand out to me here: Strontium points to European think-tanks and policy centers as a rich source of information on EU and US reactions and strategy development regarding the Russian/Ukrainian conflict, Ukraine’s dominance of the information warfare theater of this conflict resulting in its media being directly attacked and, in particular, commenting on establishing a legal process that would enable Microsoft to quickly obtain legal approval for direct action ”, said Casey Ellis, founder and CTO of Bugcrowd.

“Microsoft’s actions here are a well-oiled protocol for highly targeted takedowns against botnets and other criminal actors,” explained Andrew Barratt, vice president of Coalfire.

Efforts here seem to reflect a change on the part of the government regarding the role of private industry in foreign affairs. “The Justice Department appears to be adopting a new policy of authorizing hacking operations and then publicly disclosing both the decision and the results once the operation is complete. The HAFNIUM and Cyclops Blink shootdowns are two other recent examples,” Ellis said. “This type of activity has been going on for quite some time without the legal aspect being publicized, so this change in strategy is intriguing and, to me, points to a degree of ‘cyber saber rattling’ by the West as well. like a new season of the DOJ publicly acknowledging the legitimacy of offensive cybersecurity work.”

But, “there’s a careful way to go here,” Barratt said. “Suggestions of direct Russian activity against US/EU interests could trigger a NATO escalation, in line with other military responses to cyber activity in the past.”

Burt said the latest action was just a small part of the Ukraine-related activity the company has seen. “Prior to the Russian invasion, our teams began working around the clock to help organizations in Ukraine, including government agencies, defend against an onslaught of cyber warfare that has intensified since the invasion began and has continued relentlessly. “, said. “Since then, we have watched almost every Russian nation-state actor involved in the ongoing large-scale offensive against Ukraine’s government and critical infrastructure.”

The information Microsoft released “shows the depth of available capability and how much more of an active component in Russian military capability cyber actions are,” Barratt said. “This is not just siled online activity, this capability is more aligned with an integrated military cyber unit.”

Microsoft’s efforts may have thwarted the bad guys this time, but they will continue to be a thorn in security’s side. “While Microsoft’s response during this most recent attack helped deter Strontium from gaining long-term access to Ukrainian government targets, we may not have seen Strontium’s latest efforts in Ukraine,” Merrit said.

Leave a Comment