As Russia continues its devastating and tragic invasion of Ukraine, the cyber front of the war remains favorable to Ukraine and its Western allies.
Within the last week, there have been two major wins against Russian cybercriminals. U.S. and German authorities were able to shutdown Hydra Market, the largest illegal darknet marketplace in the world that has received approximately $5.2 billion in cryptocurrency since 2015. And the Department of Justice (DOJ) announced an operation that successfully disrupted a botnet controlled by the Russian Federation's Main Intelligence Directorate (GRU) known as Cyclops Blink.
Most recently, Microsoft says it has disrupted cyberattacks from a nation-state threat actor targeting Ukraine. The threat actor, known as Strontium and tracked by Microsoft for years, is connected to the Russian GRU.
After obtaining a court order on April 6th, Microsoft took control of seven internet domains used to conduct these attacks on Ukraine. Since then, it has redirected those domains to a sinkhole, allowing Microsoft to mitigate Strontium's current use of these domains and enable victim notifications.
Microsoft discusses in a recent blog post:
"Strontium was using this infrastructure to target Ukrainian institutions including media organizations. It was also targeting government institutions and think tanks in the United States and the European Union involved in foreign policy. We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information. We have notified Ukraine's government about the activity we detected and the action we've taken."
The disruption of Strontium has been a long process for Microsoft, but a very successful one. Dating back to 2016, Microsoft has taken legal and technical action to seize infrastructure controlled by Strontium. The company says it has established a legal process that enables it to quickly obtain court decisions for this work.
Before the recent disruption this week, Microsoft used this process 15 times to seize more than 100 Strontium controlled domains.
Microsoft tracking Russian threat actors
Throughout the invasion of Ukraine, Microsoft has done an exceptional job of tracking Russian threat actors. Though the disruption of Strontium was a minor victory relative to the scale of the war, Microsoft anticipates these victories to wear on Russia:
"The Strontium attacks are just a small part of the activity we have seen in Ukraine. Before the Russian invasion, our teams began working around the clock to help organizations in Ukraine, including government agencies, defend against an onslaught of cyberwarfare that has escalated since the invasion began and has continued relentlessly.
Since then, we have observed nearly all of Russia's nation-state actors engaged in the ongoing full-scale offensive against Ukraine's government and critical infrastructure, and we continue to work closely with government and organizations of all kinds in Ukraine to help them defend against this onslaught. In the coming weeks we expect to provide a more comprehensive look at the scope of the cyberwar in Ukraine."
Follow SecureWorld News for updates on Russia, Ukraine, and other cybersecurity related news.