Microsoft disrupts Russian cyberattackers targeting Ukraine, U.S., Europe

Microsoft said it disrupted the actions of a Moscow-linked cyberattacker targeting Ukraine, the U.S. and Europe. 

Strontium, which Microsoft has linked to the Russian military intelligence, was targeting media and other institutions in Ukraine, and government entities and think tanks from the U.S. and Europe, according to Microsoft Corporate Vice President Tom Burt. 

“This week, we were able to disrupt some of Strontium’s attacks on targets in Ukraine,” Mr. Burt wrote on Microsoft’s blog on Thursday. “On Wednesday, April 6th, we obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these attacks. We have since redirected these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications.” 

Microsoft previously identified Strontium as primarily responsible for attacks on Democrats surrounding the 2016 election, and Microsoft has said Strontium targeted both Republican and Democratic consultants ahead of the 2020 presidential election. Mr. Burt wrote in September 2020 that Strontium targeted more than 200 organizations affiliated with the coming election in a cyber campaign to compromise accounts and gain access for later use in intelligence collection and disruption. 

Mr. Burt said Thursday that Microsoft believed the Russian hackers’ latest actions were looking for “long-term access” to systems to provide tactical support for Russia’s invasion and that the hackers were seeking to swipe sensitive information. 

Microsoft’s latest action comes on the heels of the Justice Department announcing on Wednesday that it disrupted a “two-tiered global botnet of thousands of infected network hardware devices” under the control of a different cyberattacker, Sandworm, that the U.S. government previously attributed to Russian military intelligence. 

The department said the court-authorized operation was conducted in March. The operations to remove malware known as “Cyclops Blink” were led by the FBI’s cyber team and offices in Atlanta, Pittsburgh and Oklahoma City alongside prosecutors in Pennsylvania. 

In addition to the Russian military intelligence-connected operations exposed by Microsoft and the federal government, Meta said Thursday that it found Belarus-linked hackers attempting to break into dozens of Ukrainian military personnel’s Facebook accounts. 

Meta said a handful of accounts posted videos encouraging surrender amid Russia’s invasion, but the company stopped the videos from getting shared.