Microsoft has successfully seized domains used by APT28, a state-sponsored group operated by Russian military intelligence, to target institutions in Ukraine.
The tech giant said in a blog post on Thursday that Strontium — Microsoft’s moniker for APT28 or “Fancy Bear,” a hacking group linked to Russia’s GRU — used the domains to target multiple Ukrainian institutions, including media organizations, as well as government institutions and think tanks involved in foreign policy in the U.S. and Europe.
“We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information,” said Tom Burt, Microsoft’s vice president for customer security.
Microsoft said it obtained a court order on April 6 that authorized the company to take control of seven domains APT28 was using to carry out its cyberattacks. “We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications,” Burt added. “We have notified Ukraine’s government about the activity we detected and the action we’ve taken.”
This action is part of a wider Microsoft investigation into the Russian state-sponsored hacking group that started back in 2016. Microsoft has obtained several court decisions in recent years to seize infrastructure being used by APT28. To date, Microsoft has filed 15 other cases against the Russian-backed threat group, leading to the seizure of more than 100 malicious domains controlled by the Russian spies.
The Russia-backed hacker group has been active since at least 2009, targeting predominantly media, military, security organizations and governments worldwide, including a 2015 hack of the German federal parliament and an attack against the Democratic National Committee in 2016.
APT28 has also been linked to the recent cyberattack on U.S. satellite communications provider Viasat, an incident that triggered satellite service outages across Central and Eastern Europe. A recent SentinelOne report said the attack was likely the result of destructive wiper malware that shares similarities with the VPNFilter malware, which infected thousands of home and small business routers and network devices worldwide. In 2018, the FBI attributed the VPNFilter operation to APT28.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Microsoft’s Burt said that APT28’s attacks “are just a small part of the activity we have seen in Ukraine,” adding that the company has “observed nearly all of Russia’s nation-state actors engaged in the ongoing full-scale offensive against Ukraine’s government and critical infrastructure.”
Microsoft’s domain seizures landed just days after the FBI said it has taken down a massive botnet also run by the GRU.
Read more:
