{ "id": "ea6973eb-c04e-4901-b019-8ef1a892788b", "created_at": "2026-04-06T01:31:50.165312Z", "updated_at": "2026-04-10T03:37:49.717169Z", "deleted_at": null, "sha1_hash": "5e6a1eff91fe95cc685cc34ef6be7571347c5cf4", "title": "Disrupting cyberattacks targeting Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 573055, "plain_text": "Disrupting cyberattacks targeting Ukraine\r\nBy Tom Burt\r\nPublished: 2022-04-07 · Archived: 2026-04-06 00:48:58 UTC\r\nToday, we’re sharing more about cyberattacks we’ve seen from a Russian nation-state actor targeting Ukraine and\r\nsteps we’ve taken to disrupt it.\r\nWe recently observed attacks targeting Ukrainian entities from Strontium, a Russian GRU-connected actor we\r\nhave tracked for years. This week, we were able to disrupt some of Strontium’s attacks on targets in Ukraine. On\r\nWednesday April 6th, we obtained a court order authorizing us to take control of seven internet domains Strontium\r\nwas using to conduct these attacks. We have since re-directed these domains to a sinkhole controlled by Microsoft,\r\nenabling us to mitigate Strontium’s current use of these domains and enable victim notifications.\r\nStrontium was using this infrastructure to target Ukrainian institutions including media organizations. It was also\r\ntargeting government institutions and think tanks in the United States and the European Union involved in foreign\r\npolicy. We believe Strontium was attempting to establish long-term access to the systems of its targets, provide\r\ntactical support for the physical invasion and exfiltrate sensitive information. We have notified Ukraine’s\r\ngovernment about the activity we detected and the action we’ve taken.\r\nhttps://blogs.microsoft.com/on-the-issues/2022/04/07/cyberattacks-ukraine-strontium-russia/\r\nPage 1 of 2\n\nThis disruption is part of an ongoing long-term investment, started in 2016, to take legal and technical action to\r\nseize infrastructure being used by Strontium. We have established a legal process that enables us to obtain rapid\r\ncourt decisions for this work. Prior to this week, we had taken action through this process 15 times to seize control\r\nof more than 100 Strontium controlled domains.\r\nThe Strontium attacks are just a small part of the activity we have seen in Ukraine. Before the Russian invasion,\r\nour teams began working around the clock to help organizations in Ukraine, including government agencies,\r\ndefend against an onslaught of cyberwarfare that has escalated since the invasion began and has continued\r\nrelentlessly. Since then, we have observed nearly all of Russia’s nation-state actors engaged in the ongoing full-scale offensive against Ukraine’s government and critical infrastructure, and we continue to work closely with\r\ngovernment and organizations of all kinds in Ukraine to help them defend against this onslaught. In the coming\r\nweeks we expect to provide a more comprehensive look at the scope of the cyberwar in Ukraine.\r\nTags: cyberattacks, cybersecurity, cyberwar, Russia, strontium, Ukraine\r\nSource: https://blogs.microsoft.com/on-the-issues/2022/04/07/cyberattacks-ukraine-strontium-russia/\r\nhttps://blogs.microsoft.com/on-the-issues/2022/04/07/cyberattacks-ukraine-strontium-russia/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blogs.microsoft.com/on-the-issues/2022/04/07/cyberattacks-ukraine-strontium-russia/" ], "report_names": [ "cyberattacks-ukraine-strontium-russia" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439110, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5e6a1eff91fe95cc685cc34ef6be7571347c5cf4.pdf", "text": "https://archive.orkl.eu/5e6a1eff91fe95cc685cc34ef6be7571347c5cf4.txt", "img": "https://archive.orkl.eu/5e6a1eff91fe95cc685cc34ef6be7571347c5cf4.jpg" } }