Microsoft disrupted attacks against Ukrainian by APT28

Microsoft has successfully disrupted attacks against Ukrainian targets coordinated by the Russian APT28 hacking group after taking down seven domains used as attack infrastructure.

Who is FANCY BEAR (APT28)?

Advanced Persistent Threat group, APT28 (also known as Fancy Bear, Pawn Storm, the Sednit Gang and Sofacy), is a highly skilled threat actor.

APT28 has previously used tools including X-Tunnel, X-Agent and CompuTrace to penetrate target networks. The signatures and Indicators of Compromise (IoCs) included in this advisory will assist in detecting the presence of APT28 malware on your platforms and networks.

The group has been observed targeting victims in multiple sectors across the globe. Because of its extensive operations against defense ministries and other military victims, FANCY BEAR’s profile closely mirrors the strategic interests of the Russian government, and may indicate affiliation with Главное Разведывательное Управление (Main Intelligence Department) or GRU, Russia’s premier military intelligence service.

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004

Strontium (also tracked as Fancy Bear or APT28), linked to Russia's military intelligence service GRU, used these domains to target multiple Ukrainian institutions, including media organizations.

The domains were also used in attacks against US and EU government institutions and think tanks involved in foreign policy.

"On Wednesday, April 6th, we obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these attacks," said Tom Burt, Corporate Vice President of Customer Security & Trust at Microsoft.

“Strontium” was using seven internet domains to conduct attacks on Ukrainian institutions as well as government bodies and think tanks in the US and the European Union involved in foreign policy, without identifying any of the targets by name.

We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium's current use of these domains and enable victim notifications.

"We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information.

Microsoft also notified the Ukrainian government about Strontium's malicious activity and the disruption of efforts to compromise targeted organizations' networks in Ukraine.

Fancy Bear’s Methods

FANCY BEAR’s code has been observed targeting conventional computers and mobile devices. To attack their victims, they typically employ both phishing messages and credential harvesting using spoofed websites.

FANCY BEAR has demonstrated the ability to run multiple and extensive intrusion operations concurrently. In the blog post, Bears in the Midst, CrowdStrike CTO Dmitri Alperovitch details the adversary’s operations against U.S. political organizations. At the same time that operation was occurring, this actor was involved in extensive operations targeting European military organizations.

This adversary has dedicated considerable time to developing their primary implant known as XAgent, and to leverage proprietary tools and droppers such as X-Tunnel, WinIDS, Foozer and DownRange. Their main implant has been ported across multiple operating systems for conventional computers as well as mobile platforms.

This group is also known for registering domains that closely resemble domains of legitimate organizations they plan to target in order to establish phishing sites that spoof the look and feel of the victim’s web-based email services, with the intention of harvesting their credentials.