The National Cyber Security Centre (NCSC) has exposed Russian military intelligence actors for using previously unknown malicious software to enable espionage against victim email accounts, in a move that will keep the UK and its allies safer.
The NCSC – a part of GCHQ – has revealed for the first time that the cyber threat group APT 28 has been responsible for deploying a sophisticated malware dubbed AUTHENTIC ANTICS as part of its operations.
The UK has previously said APT 28 is part of Russia’s GRU 85th Main Special Service Centre, Military Unit 26165.
The attribution comes as the UK Government has today sanctioned three GRU Units: 26165, 29155 and 74455 and 18 GRU officers and agents for their part in cyber and information interference operations across the globe in support of wider Russian geopolitical and military objectives. The Strategic Defence Review identified the most acute threat as that posed by Russia.
An analysis of AUTHENTIC ANTICS by the NCSC shows how it has been specifically designed to enable persistent endpoint access to Microsoft cloud accounts by blending in with legitimate activity.
It periodically displays a login window prompting the user to share their credentials which are then intercepted by the malware, along with OAuth authentication tokens which allow access to Microsoft services.
The malware also exfiltrates victims’ data by sending emails from the victim’s account to an actor-controlled email address without the emails showing in the ‘sent’ folder.
Helping UK organisations build resilience against cyber threats and protecting the UK’s national security is a vital step to secure the foundations for the government’s Plan for Change.
That is why the UK has announced the largest sustained boost in defence spending since the Cold War – increasing to 2.6% of GDP by 2027. As outlined in the National Security Strategy, this marks a bold step forward making the UK stronger and more secure by countering cyber and hybrid threats, in a world that is characterised by radical uncertainty.
“GRU spies are running a campaign to destabilise Europe, undermine Ukraine’s sovereignty and threaten the safety of British citizens,” Foreign Secretary, David Lammy, said. “The Kremlin should be in no doubt: we see what they are trying to do in the shadows and we won’t tolerate it.
“That’s why we’re taking decisive action with sanctions against Russian spies. Protecting the UK from harm is fundamental to this government’s Plan for Change.
“Putin’s hybrid threats and aggression will never break our resolve. The UK and our Allies support for Ukraine and Europe’s security is ironclad.”
“The use of AUTHENTIC ANTICS malware demonstrates the persistence and sophistication of the cyber threat posed by Russia’s GRU,” Paul Chichester, NCSC Director of Operations, added. “NCSC investigations of GRU activities over many years show that network defenders should not take this threat for granted and that monitoring and protective action is essential for defending systems.
“We will continue to call out Russian malicious cyber activity and strongly encourage network defenders to follow advice available on the NCSC website.”
The AUTHENTIC ANTICS malware was discovered in the aftermath of a cyber incident which was investigated by Microsoft and the NCSC-assured cyber incident response provider NCC Group in 2023.
The NCSC has previously called out APT 28 / Unit 26165, also known in open source as Fancy Bear, Forest Blizard and Blue Delta, for targeting western logistics entities and technology companies.
The UK has also exposed Unit 29155 for carrying out digital sabotage attacks and Unit 74455, also known in open source as Sandworm, for use of the malware Cyclops Blink and the attempted attack on the Organisation for the Prohibition of Chemical Weapons in 2018.
The full report on AUTHENTIC ANTICS can be found on the NCSC’s website. Associated files relating to this report can also be found via the NCSC’s Malware Analysis Reports page.
To read more NCSC news, click here.
