The UK’s National Cyber Security Centre (NCSC) has officially linked a sophisticated malware campaign, known as ‘Authentic Antics’, to the notorious APT28 hacking group—also known as Fancy Bear—which is connected to Russia’s military intelligence service (GRU).
According to a technical analysis released by NCSC, the malware is designed to steal credentials and OAuth 2.0 tokens to gain unauthorized access to victims’ email accounts. The attacks were observed in 2023, with the malware running inside Microsoft Outlook, mimicking login prompts to trick users into revealing their information.
“The Government has today (July 18) exposed Russian military intelligence actors for using previously unknown malicious software to enable espionage against victim email accounts,” the UK government announced.
How ‘Authentic Antics’ Works
- Injects into the Outlook process to display fake Microsoft login prompts.
- Steals login credentials and authorization codes for apps like Exchange Online, SharePoint, and OneDrive.
- Sends stolen data via the victim’s own Outlook account to attacker-controlled email addresses.
- Avoids detection by:
- Disabling “save to sent” folder.
- Avoiding external command-and-control servers.
- Using Outlook-specific registry locations for storage.
The malware includes multiple components: a dropper, an infostealer, and various PowerShell scripts, demonstrating a high level of sophistication and long-term stealth capabilities.
Sanctions and Attribution
In response to the revelations, the UK Government has sanctioned three GRU military units (26165, 29155, and 74455) and 18 Russian individuals believed to be involved in cyberespionage operations, including the deployment of Authentic Antics.
APT28, also known as Sednit, Sofacy, STRONTIUM, and Forest Blizzard, has a long history of cyberattacks targeting Western governments, media, and military entities.
UK officials warned that these operations are part of a broader effort by Russian intelligence to destabilize Europe and undermine democratic institutions. The NCSC reaffirmed its commitment to exposing such threats and protecting national cybersecurity.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
