UK uncovers novel Microsoft snooping malware, blames and sanctions GRU cyberspies

The UK government is warning that Russia’s APT28 (also known as Fancy Bear or Forest Blizzard) has been deploying previously unknown malware to harvest Microsoft email credentials and steal access to compromised accounts.

Both the UK and the US have previously said APT28 is part of Russia’s General Staff Main Intelligence Directorate (GRU) military unit 26165. Friday’s malware revelations – dubbed Authentic Antics by the UK – came just hours after the British government sanctioned three GRU units (26165, 29155, and 74455) and several individual spies, accused of “conducting a sustained campaign of malicious cyber activity over many years.”

Authentic Antics was initially discovered following a 2023 breach investigated by Microsoft and NCC Group, but today is the first time that the government has attributed it to the Russian military crew.

The malware targets the Windows operating system, running within Outlook, according to a technical analysis.

Authentic Antics periodically displays a login window that prompts the user to enter their credentials, and if they do, the malware steals the data, along with OAuth authentication tokens, which allow access to Microsoft services, including Exchange Online, SharePoint, and OneDrive. 

In addition, the malware exfiltrates victims’ data by sending emails from the victim’s account to an actor-controlled email address without the emails showing in the “sent” folder.

The use of Authentic Antics malware demonstrates the persistence and sophistication of the cyber threat posed by Russia’s GRU

“The use of Authentic Antics malware demonstrates the persistence and sophistication of the cyber threat posed by Russia’s GRU,” the UK’s National Cyber Security Centre director of operations Paul Chichester said in a statement. 

“NCSC investigations of GRU activities over many years show that network defenders should not take this threat for granted and that monitoring and protective action is essential for defending systems,” he added.

In May, the NCSC, US National Security Agency, and several other government agencies warned that this same GRU cyber-spy unit was targeting “dozens” of Western and NATO-country logistics providers, tech companies, and government orgs providing transport and foreign assistance to Ukraine.

The advisory says the snoops also targeted internet-connected cameras at border crossings to track aid shipments in an ongoing campaign that began in 2022, which is when Russia first invaded neighboring Ukraine.

That same year, GRU unit 26165 conducted online reconnaissance to guide missile strikes against Mariupol – including the strike that destroyed the Mariupol Theatre and reportedly killed hundreds of civilians, including children.

According to the UK government, the GRU units and the officers sanctioned today also planted X-Agent spyware on phones belonging to former Russian double agent Sergei Skripal and his daughter, Yulia, before reportedly poisoning them with Novichok in 2018.

The GRU officers sanctioned include: Aleksandr Vladimirovich Osadchuk, Yevgeniy Mikhaylovich Serebriakov, Anatoliy Sergeyvich Kovalev, Artem Valeryvich Ochichenko, Vladislav Yevgenyevich Borovkov, Nikolay Aleksandrovich Korchagin, Yuriy Federovich Denisov, Vitaly Aleksandrovich Shevchenko, Ivan Sergeyevich Yermakov, Aleksey Viktorovich Lukashev, Sergey Sergeyevich Vasyuk, Andrey Eduardovich Baranov, Aleksey Sergeyevich Morenets, Sergey Aleksandrovich Morgachev, Artem Adreyevich Malyshev, Yuriy Leonidovich Shikolenko, Victor Borisovich Netyksho, Dmitriy Aleksandrovich Mikhaylov, Artyom Sergeevich Kureyev, Anna Sergeevna Zamaraeva, and Victor Aleksandrovich Lukovenko.  

In conjunction with the UK sanctions, both the EU and NATO issued statements condemning Russia’s malicious cyber activities and attributing recent digital intrusions and snooping campaigns to the GRU.

Microsoft says it has nothing to share, and CISA has referred us to the NCSC; we’ll update if we receive any additional comment. ®

READ MORE HERE