The United Kingdom has decisively called out Russian military intelligence, specifically the notorious cyber threat group APT28 (also known as Fancy Bear), for developing and deploying a sophisticated new espionage tool dubbed “AUTHENTIC ANTICS.” This formal attribution by GCHQ’s National Cyber Security Centre (NCSC) reveals that the malware is designed to steal victim login details and authentication tokens, enabling persistent, covert access to Microsoft cloud email accounts. The announcement marks a significant step in the UK’s ongoing efforts to expose and counter Russia’s malicious hybrid operations.
Analysis of AUTHENTIC ANTICS by the NCSC demonstrates its deceptive nature. The malware cleverly blends in with legitimate Microsoft activity, periodically displaying a login window to trick users into providing their credentials. Crucially, it also intercepts OAuth authentication tokens, which can grant long-term access to Microsoft services without requiring the victim’s password for every login. Furthermore, the malware exfiltrates data by sending emails from the compromised account to an actor-controlled address, without these emails appearing in the victim’s sent folder, making detection even more challenging. The discovery of AUTHENTIC ANTICS followed a cyber incident in 2023, jointly investigated by Microsoft and the NCSC-assured cyber incident response provider NCC Group.
This public attribution is accompanied by robust action from the UK Government, which has today sanctioned three GRU Units (26165, 29155, and 74455) and 18 GRU officers and agents. These sanctions target individuals and entities involved in a wide range of cyber and information interference operations globally, underscoring the UK’s commitment to holding those responsible accountable. Foreign Secretary David Lammy emphasized that these actions are a clear message to the Kremlin: “GRU spies are running a campaign to destabilise Europe, undermine Ukraine’s sovereignty and threaten the safety of British citizens. The Kremlin should be in no doubt: we see what they are trying to do in the shadows and we won’t tolerate it.”
The NCSC has consistently highlighted the persistent and sophisticated cyber threat posed by Russia’s GRU. Paul Chichester, NCSC Director of Operations, urged network defenders not to underestimate this threat and to prioritize monitoring and protective actions. He reiterated the NCSC’s commitment to exposing Russian malicious cyber activity and providing guidance to organizations to bolster their resilience. This latest revelation builds on previous NCSC call-outs, which have linked APT28 (Unit 26165) to targeting Western logistics entities and technology companies, Unit 29155 to digital sabotage attacks, and Unit 74455 (Sandworm) to the use of Cyclops Blink malware and an attempted attack on the Organisation for the Prohibition of Chemical Weapons in 2018.
The UK’s comprehensive response, including sanctions and public attribution, aligns with its National Security Strategy, which prioritizes countering cyber and hybrid threats. This commitment is further solidified by the largest sustained boost in defence spending since the Cold War, aiming for 2.6% of GDP by 2027. By exposing tools like AUTHENTIC ANTICS and sanctioning those responsible, the UK aims to enhance national security, protect its allies, and uphold international norms in cyberspace, reinforcing its resolve against state-sponsored malign activities.
Reference:
