{ "id": "c6c4fd29-ea1b-4ce2-b05e-7af64b096282", "created_at": "2026-04-06T00:19:42.528401Z", "updated_at": "2026-04-10T03:37:50.241307Z", "deleted_at": null, "sha1_hash": "558f8defa89094045dd08bcfd8856fdc719b86d4", "title": "Microsoft Disrupts APT28 Hacking Campaign Aimed at US Midterm Elections", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1486210, "plain_text": "Microsoft Disrupts APT28 Hacking Campaign Aimed at US Midterm\r\nElections\r\nBy Catalin Cimpanu\r\nPublished: 2018-08-21 · Archived: 2026-04-05 13:33:26 UTC\r\nMicrosoft revealed last night that it successfully disrupted a hacking campaign associated with the Russian military\r\nintelligence service GRU.\r\nThe group is known in infosec industry circles as APT28, Fancy Bear, or Strontium, and has been previously linked to\r\ncyber-espionage campaigns aimed at numerous governments around the world, including to the hack of the Democratic\r\nNational Committee ahead of the 2016 US Presidential Election.\r\nMicrosoft takes over six APT28 domains\r\nMicrosoft President Brad Smith said that Microsoft's Digital Crimes Unit (DCU) successfully executed a court order to\r\ntransfer control of six internet domains created by the group. The six domains are:\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nmy-iri.org\r\nhudsonorg-my-sharepoint.com\r\nsenate.group\r\nadfs-senate.services\r\nadfs-senate.email\r\noffice365-onedrive.com\r\nThe first domain was registered to look like a domain for the International Republican Institute, which promotes democratic\r\nprinciples. The second was registered to mimic the Hudson Institute, an organization known for its discussions on election\r\ncybersecurity. The last four were blatant attempts at mimicking domains part of the US Senate's IT infrastructure. Microsoft\r\nsaid it notified all three organizations.\r\nMicrosoft has now taken over 84 APT28 domains\r\nBased on their format, the domains were most likely supposed to be used as part of spear-phishing operations.\r\nMicrosoft says it managed to gain ownership of the domains before they were used in any attacks.\r\nThe OS maker said this was the twelfth time they used a court order to take control of domains they believed to be\r\nassociated with APT28's attack infrastructure. Smith said they have now taken control of 84 APT28 domains in the last two\r\nyears.\r\n\"Despite last week's steps, we are concerned by the continued activity targeting these and other sites and directed toward\r\nelected officials, politicians, political groups and think tanks across the political spectrum in the United States,\" Smith said.\r\n\"Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017\r\nelection in France.\"\r\nLast week, Reuters reported that the FBI was investigating cyber-attacks on the congressional campaign of a Democratic\r\ncandidate in California, albeit there's no evidence that Microsoft's intervention is tied to that investigation.\r\nSpeaking at a conference in mid-July, Tom Burt, Corporate Vice President for Customer Security and Trust, Microsoft, said\r\nMicrosoft had blocked at the time the first cyber-attacks on the US 2018 midterm elections.\r\nIn May this year, the FBI also intervened in a similar fashion to take control of domains that the APT28 group was using to\r\ncontrol the VPNFilter IoT botnet.\r\nMicrosoft officially launches AccountGuard service\r\nWhile announcing Microsoft's intervention to take down the six APT28 domains, Smith also announced the launch of the\r\nAccountGuard service designed to help US election and campaign entities secure their IT infrastructure against nation-state\r\nattacks.\r\nBleeping Computer first broke the story about Microsoft's new AccountGuard service at the start of the month —more\r\ndetails here.\r\nAfter Microsoft revealed its takeover of the six APT28 domains, Google also issued a security advisory on its blog about the\r\ndangers of government-backed phishing operations. Last week, Google added support for controlling the behavior of\r\n\"Government backed attacks\" alerts inside the G Suite service.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/" ], "report_names": [ "microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections" ], "threat_actors": [ { "id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf", "created_at": "2022-10-25T16:07:24.467088Z", "updated_at": "2026-04-10T02:00:05.000485Z", "deleted_at": null, "main_name": "Circles", "aliases": [], "source_name": "ETDA:Circles", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434782, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/558f8defa89094045dd08bcfd8856fdc719b86d4.pdf", "text": "https://archive.orkl.eu/558f8defa89094045dd08bcfd8856fdc719b86d4.txt", "img": "https://archive.orkl.eu/558f8defa89094045dd08bcfd8856fdc719b86d4.jpg" } }