Microsoft seizes internet domains linked to GRU cyberattacks against Ukraine

Strontium — a group linked to Russian military intelligence — was using the domains to target Ukrainian institutions, Microsoft said.
Russian Foreign Ministry
A man enters the Russian Foreign Ministry headquarters in Moscow on April 19, 2021. (Photo by NATALIA KOLESNIKOVA/AFP via Getty Images)

Microsoft says it has shut down internet infrastructure that Russian state-backed hackers used to attack the networks of organizations in Ukraine as well as government agencies and think tanks in the U.S. and European Union.

The company said Thursday that it seized seven domains it linked to the GRU military intelligence agency and re-directed the related traffic “to a sinkhole controlled by Microsoft.” The blog post about the maneuver attributed the hacking to a GRU group known to cybersecurity researchers as Strontium, Fancy Bear or Sofacy.

“We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information,” Microsoft said. “We have notified Ukraine’s government about the activity we detected and the action we’ve taken.”

Ukrainian media organizations were among the targets, the company said.


The takedown is the latest in a series of Western moves to disrupt the Kremlin’s cyber-operations as its war on Ukraine continues. On Wednesday, the U.S. government said it had disrupted a botnet built by another GRU-linked advanced persistent threat (APT) group, Sandworm. Researchers have reported some overlap between GRU hacking teams, but in some cases the activity is attributable to distinct units within the spy agency.

Microsoft said it got a court order on April 6 for the Strontium-linked seizure. It’s not the first time the tech giant has taken over internet domains to stop Russia-linked hacking. The company has made similar moves to thwart campaigns linked to North Korea and China, too.

“We have established a legal process that enables us to obtain rapid court decisions for this work,” the blog post said. “Prior to this week, we had taken action through this process 15 times to seize control of more than 100 Strontium controlled domains.”

The company did not specify the internet domains that were involved, nor did it describe the exact nature of the cyberattacks.

Thursday’s announcement is just a small part of Microsoft’s efforts to help the Ukrainian government, Microsoft said.


Since Russia’s invasion began, “we have observed nearly all of Russia’s nation-state actors engaged in the ongoing full-scale offensive against Ukraine’s government and critical infrastructure, and we continue to work closely with government and organizations of all kinds in Ukraine to help them defend against this onslaught,” the company said.

Microsoft itself is also the subject of relentless pressure from foreign hackers. The cybercrime group Lapsus$ claimed in March that it had breached part of the company’s networks. Microsoft investigated and said “a single account had been compromised, granting limited access.”

Latest Podcasts