Microsoft Takes Down Russia’s Strontium Allies Attacking Ukraine
Need additional evidence that private organizations are playing a defining role in curbing and preventing nation-state cyberattacks? Just look at the actions Microsoft recently took to disrupt Russian GRU-connected Strontium’s attacks on Ukrainian targets.
Tom Burt, Microsoft corporate vice president of customer service, wrote in a blog post that the tech giant had obtained a court order allowing it to take over seven internet domains used by Strontium to conduct attacks against Ukrainian institutions, including media.
“We have since redirected these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications,” Burt said, noting that the group was also attacking government institutions and think tanks involved in foreign policy and located in the U.S.
“The outcome of every war is defined by achieving many small victories; in this case, Microsoft took active steps to disrupt attacks on Ukrainian targets and is showing why we haven’t seen as much success in attacks by Russia as we have seen in previous conflicts,” said John Bambenek, principal threat hunter at Netenrich. “Russia’s playbook is pretty well-known and many organizations are pitching in to minimize or eliminate the impact these threat actors can have on Ukraine or affiliated entities.”
Strontium has been a formidable presence for years. “In 2014, Strontium attempted to compromise members of the Ukrainian military-linked volunteer group Army SOS via spearphishing messages prompting the installation of malware called ‘Network Bridge,’” said Austin Merrit, cyber threat intelligence analyst at Digital Shadows. “The group has also been known to develop their own tools and exploit zero-day vulnerabilities.”
Because it is an extension of Russia’s GRU, “Strontium likely receives many of its orders and objectives from the Kremlin,” said Merrit. “As the war in Ukraine drags on, and Russia is forced to pivot from its original military objectives, it’s realistically possible that nation-state groups like Strontium will launch more disruptive cyberattacks aimed at Ukraine’s infrastructure, government and media sectors.”
The Microsoft team thinks Strontium’s goal this time was to gain long-term access to victims’ systems and even support physical invasion as well as exfiltrate sensitive information. Microsoft began its efforts to disrupt nation-state actors just six years ago, and this most recent action shows how effective a private company’s contribution can be in the war against cyberattacks and the threat actors behind them. It also points to the importance of creating a framework for dealing quickly with these threats in the courts.
“We have established a legal process that enables us to obtain rapid court decisions for this work,” Burt wrote. “Prior to this week, we had taken action through this process 15 times to seize control of more than 100 Strontium-controlled domains.”
That legal process is key. “Three things stand out to me here: Strontium’s targeting of European think-tanks and policy centers as an information-rich source of EU and US reactions and strategy development regarding the Russo/Ukrainian conflict, Ukraine’s dominance of the information warfare theatre of this conflict resulting in their media being directly targeted, and, in particular, the comment about establishing a legal process that allows Microsoft to quickly obtain legal approval for direct action,” said Casey Ellis, founder and CTO at Bugcrowd.
“Microsoft’s actions here are a well-oiled protocol for takedowns much exercised against botnets and other criminal actors,” explained Andrew Barratt, vice president at Coalfire.
The efforts here seem to reflect a shift by the government with regard to private industry’s role in foreign affairs. “The DOJ appears to be adopting a new policy of authorizing hack-back operations and then publicly disclosing both the decision and the results once the operation is completed. The HAFNIUM and Cyclops Blink takedowns are two other recent examples,” said Ellis. “This type of activity has been going on for quite some time without the legal side of it being publicized, so this shift in strategy is intriguing, and to me points to a degree of ‘cybersaber rattling’ by the West, as well as a new season of the DOJ publicly acknowledging the legitimacy of offensive cybersecurity work.”
But, “there is a careful path to tread here,” said Barratt. “Suggestions of direct activity by Russia against U.S./EU interests could trigger an escalation from NATO, in line with other military responses to cyber activities in the past.”
Burt said the latest action was just a small part of the Ukraine-related activity the company has observed. “Before the Russian invasion, our teams began working around the clock to help organizations in Ukraine, including government agencies, defend against an onslaught of cyberwarfare that has escalated since the invasion began and has continued relentlessly,” he said. “Since then, we have observed nearly all of Russia’s nation-state actors engaged in the ongoing full-scale offensive against Ukraine’s government and critical infrastructure.”
The information that Microsoft released “shows the depth of capability available and how much more of an active component in the Russian military capability the cyber actions are,” said Barratt. “This isn’t just an online activity in a silo, this capability is more aligned with an integrated military cyber unit.”
Microsoft’s efforts may have foiled the bad actors this time, but they will continue to be a thorn in security’s side. “While the response from Microsoft during this most recent attack helped deter Strontium from obtaining long-term access to Ukrainian government targets, we have likely not seen the last of Strontium’s efforts in Ukraine,” said Merrit.
