Microsoft closes six sites allegedly set up by Russian-linked threat group

The alleged Russian-linked threat group known as APT28 has been blamed for more mischief in the United States, this time by setting up a number of web sites mimicking prominent American political organizations.

On Monday Microsoft president Brad Smith said the company has seized six fake domains, three of which have been pretending to be websites of the U.S. Senate; one pretending to be the International Republican Institute, which promotes democratic principles; one pretending to be the Hudson Institute, a notable think tank;  and one that was pretending to be a Microsoft Office 365 site.

Last week, Microsoft’s Digital Crimes Unit got a court order to take over the sites.

The seized sites are,,,, and

The domains, Smith said, were “created by a group widely associated with the Russian government and known as Strontium, or alternatively Fancy Bear or APT28. We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group.”

One of them, according to the Hacker News, was earlier this year when it helped Washington to block Russian hacking attempts against at least three congressional candidates.

In December, 2016 the U.S. Department of Homeland Security and the FBI issued a joint analysis report identified ATP28 (and a group threat researchers call APT29) as backed by Russian civilian and military intelligence services. Last month Russian President Vladamir Putin said, The Russian state has never interfered and is not going to interfere in internal American affairs, including the election process.”

Although Smith’s blog linked the discovery of the fake sites to foreign entities “launching cyber strikes to disrupt elections and sow discord” in recent elections in the U.S. and France,  Microsoft admits it has no evidence those domains were used in any successful attacks, nor evidence of the ultimate targets of any planned attack involving these domains.

Still, it says Microsoft is worried “by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States.” quoted Sean Sullivan, security advisor at security vendor F-Secure, as cautioning that the fake domains may not necessarily be related to elections.

“Microsoft’s announcement is generating a lot of attention and the focus is overwhelmingly centered on the 2018 mid-term elections. But it’s important not to lose sight of the bigger issue,” he said. “The focus on think tanks holding pro-sanction views on Russia’s current regime is about espionage. In short: spies are going to spy. That’s true whether or not it’s an election year. There seems to be a rush to conclude that these six domains are part of an “attack” on the elections that risks missing the complete threat model – and therefore the complete countermeasures that should be taken.”

“It’s good to see cybersecurity professionals taking action against phishers,” said Terry Ray, CTO of security firm Imperva.  “However, let’s not forget that its far easier to create a new domain than it is to get permission to take one offline, and with the vast number of available domains that can look like a political support organization, the hackers still have the advantage.  Consider that Microsoft eliminated the domain, because it looks like a domain for the International Republican Institute, hackers can also, create, or, or, etc.  The number of options is only limited by the hackers imagination and takes minutes to create and use.  On the defender’s side, finding, verifying and eliminating domains is a more tedious process which requires proof, documentation, multiple law enforcement agencies and most importantly, time.  I applaud the efforts of Microsoft in this, but I look for businesses like theirs to better validate legitimate domains versus bogus in spam and other filters proactively for the consumer in the e-mail tools we all use in addition to the deletion of some domains.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now