Microsoft revealed on Thursday that it had obtained a court order to take control of seven domains used by APT28, a state-sponsored group operated by Russia’s military intelligence, in an effort to neutralize its attacks on Ukraine.
“We have since redirected these domains to a Microsoft-controlled sinkhole, which allows us to mitigate Strontium’s current use of these domains and enable victim notifications,” said Microsoft Vice President Tom Burt. responsible for customer safety and trust.
APT28, also known as Sofacy, Sednit, Pawn Storm, Fancy Bear, Iron Twilight, and Strontium, is a cyber espionage group and Advanced Persistent Threat known to be active since 2009, hitting media, governments, military and the international community. non-governmental organizations (NGOs) which often have a security focus.
The tech giant noted that the sunken infrastructure was being used by the threat actor to target Ukrainian institutions as well as governments and think tanks in the United States and European Union to maintain persistent access to term and to exfiltrate sensitive information.
Meta takes action against Ghostwriter and Phosphorus
Microsoft’s disclosure comes as Meta, the company formerly known as Facebook, revealed it had taken action against secret adversarial networks from Azerbaijan and Iran on its platform, removing accounts and blocking sharing of their domains.
The Azerbaijani operation reportedly targeted democracy activists, opposition groups and journalists at home and government critics abroad for carrying out phishing and espionage activities.
Another involved UNC788 (aka Charming Kitten, TA453 or Phosphorus), a government-linked hacking team that is used to conducting surveillance operations in support of Iranian strategic priorities.
“This group used a combination of unsophisticated fake accounts and more elaborate fictional characters, which they likely used to build trust with potential targets and trick them into clicking on phishing links or downloading malicious apps” , explained Meta in its first quarterly Adversarial Threat report. Report.
The malicious Android apps, dubbed as HilalRAT, masqueraded as seemingly harmless Quranic apps to extract sensitive information, such as contact list, text messages, files, location information, as well as to activate the camera and the microphone.
Meta also said it blocked malicious activity associated with an unreported Iranian hacking group that used tactics similar to Tortoiseshell to target or spoof companies in the energy, IT, maritime logistics sectors. , semiconductors and telecommunications.
This campaign featured an elaborate set of fake profiles on Instagram, LinkedIn, Facebook and Twitter, with the actors posing as recruiters from real and screen companies to trick users into clicking phishing links to provide information stealing malware disguised as VPN, calculator, audiobooks and messaging apps.
“They developed malware on the VMWare ThinApp virtualization platform, which allowed them to run it on many different systems and hold off the malicious payload until the last minute, making detection more difficult malware,” explained Meta.
Finally, Meta also disrupted takeover attempts by the Belarusian-aligned Ghostwriter group to break into the Facebook accounts of dozens of Ukrainian military personnel.
The attacks, which were successful in “a handful of cases”, abused access to victims’ social media accounts and published disinformation “calling on the military to surrender as if these messages were from the rightful owners of the accounts”.