Microsoft uses sinkhole to thwart Russian state-backed Fancy Bear attacks

Microsoft has thwarted a series of attacks said to have been orchestrated by high-profile Russian state-sponsored hacking group Fancy Bear by redirecting their domains to a Microsoft-controlled sinkhole, the tech giant revealed on Thursday.

Also known as APT28 or Strontium, Fancy Bear is one of the most active APT groups in the world, having played a role in the 2016 hacking of the American presidential election and the cyber attack on the 2018 Winter Olympics in Pyeongchang, among many others.

Operating since at least 2004, Fancy Bear has close ties to the Russian foreign military intelligence agency GRU, and has become increasingly involved in supporting Russia’s military operations in cyber warfare.

Microsoft published a blog post detailing its actions against the hacking group, which this week was discovered targeting Ukrainian media organisations, as well as EU and US government institutions and foreign policy-involved think tanks.

On 6 April, Microsoft secured a court order that allowed it to take control of seven internet domains used by Fancy Bear to conduct the attacks.

“We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications,” the tech giant’s Customer Security & Trust corporate VP Tom Burt stated on Thursday.

In order to ensure rapid responses to Fancy Bear’s attacks, Microsoft has also “established a legal process” that allows the tech giant to fast-track court decisions required to take over the hacking group’s domains.

“Prior to this week, we had taken action through this process 15 times to seize control of more than 100 Strontium controlled domains,” said Burt.

Organisations aiding Ukraine or criticising the Russian government are considered to be at highest risk of being compromised by Russian threat actors, the NCSC warned on 30 March, as it advised businesses to avoid using Russian tech providers such as Kaspersky.

Microsoft’s findings come two weeks after the US indicted four members of the Russian government over two separate cyber security incidents between 2012 and 2018 that targeted global critical infrastructure organisations. The alleged “conspiracies”, which included the 2017 attack on a Saudi Arabian petrochemical facility, were uncovered by joint efforts of the UK and US.