UK Government has named three Russian military intelligence agency units and 18 military intelligence officers as being responsible for conducting a sustained campaign of malicious cyber activity against the UK. 

Saying the actors used previously unknown malicious software to enable espionage against victim email accounts. Among those named are APT28, which it said has been responsible for deploying a sophisticated malware dubbed AUTHENTIC ANTICS as part of its operations. 

Authentic Antics

The NCSC determined AUTHENTIC ANTICS to have been specifically designed to enable persistent endpoint access to Microsoft cloud accounts by blending in with legitimate activity.  

It periodically displays a login window prompting the user to share their credentials which are then intercepted by the malware, along with OAuth authentication tokens which allow access to Microsoft services. 

The malware also exfiltrates victims’ data by sending emails from the victim’s account to an actor-controlled email address without the emails showing in the ‘sent’ folder, and steals victims’ login details and tokens to enable long-term access to email accounts. 

APT28, also known as Fancy Bear, was previously called out by the NCSC for targeting western logistics entities and technology companies.

Paul Chichester, NCSC director of operations, said: “The use of AUTHENTIC ANTICS malware demonstrates the persistence and sophistication of the cyber threat posed by Russia’s GRU. NCSC investigations of GRU activities over many years show that network defenders should not take this threat for granted and that monitoring and protective action is essential for defending systems.

Foreign Secretary, David Lammy said: “GRU spies are running a campaign to destabilise Europe, undermine Ukraine’s sovereignty and threaten the safety of British citizens.

“The Kremlin should be in no doubt: we see what they are trying to do in the shadows and we won’t tolerate it. That’s why we’re taking decisive action with sanctions against Russian spies. Protecting the UK from harm is fundamental to this government’s Plan for Change. 

“Putin’s hybrid threats and aggression will never break our resolve. The UK and our Allies support for Ukraine and Europe’s security is ironclad.” 

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.