UK Accuses Russian GRU of Sophisticated Email Hacking Campaign with ‘Authentic Antics’ Malware

The United Kingdom’s National Cyber Security Centre (NCSC) has formally attributed a sustained and complex cyber espionage operation to the Russian military intelligence agency, the GRU, utilizing a novel malware strain dubbed “Authentic Antics.” The campaign, targeting email accounts to establish long-term surveillance access, underscores the escalating threat posed by state-sponsored actors in the digital realm.

A Persistent and Evolving Threat

Authentic Antics is specifically engineered to pilfer login credentials and authentication tokens, granting Russian cyber operatives prolonged access to the email accounts of targeted individuals. According to the NCSC, the malware is deployed by Fancy Bear – also known as APT28 – a notorious advanced persistent threat (APT) group directly linked to the GRU’s 85th Main Special Service Centre and Military Unit 26165.

“The use of Authentic Antics malware demonstrates the persistence and sophistication of the cyber threat posed by Russia’s GRU,” stated a senior NCSC official. “Investigations over many years show that network defenders should not take this threat for granted, and proactive monitoring is essential.”

How ‘Authentic Antics’ Works

The malware, first observed around 2023, operates within the Microsoft Outlook environment, presenting deceptive login prompts to unsuspecting users. These prompts are designed to mimic legitimate Microsoft authentication requests, exploiting users’ familiarity with the interface to trick them into entering their credentials. Once captured, these credentials – along with OAuth 2.0 tokens – provide access to a range of Microsoft cloud services, including Exchange Online, SharePoint, and OneDrive.

What sets Authentic Antics apart is its stealth. The NCSC’s analysis, conducted in collaboration with NCC Group, reveals the malware’s deliberate design to blend seamlessly into normal system activity. It avoids direct communication with external command and control servers, instead leveraging legitimate services for data exfiltration. For example, compromised accounts are used to send emails to addresses controlled by Fancy Bear, but these emails are cleverly hidden from the victim’s sent items folder.

“Significant thought has gone into Authentic Antics’ design to ensure it blends in with normal activity,” analysts at the NCSC noted. The malware minimizes its footprint on disk, stores data in Outlook-specific registry locations, and even incorporates genuine Microsoft authentication library code as a form of obfuscation.

Sanctions and International Condemnation

The attribution of these attacks has been accompanied by a robust response from the UK government, announcing sanctions against three GRU units – including Unit 26165 – and 18 individuals allegedly involved in cyber and information interference operations. These sanctions are a direct response to Russia’s ongoing efforts to destabilize Europe, undermine Ukraine’s sovereignty, and threaten the security of British citizens.

Notably, several of the sanctioned individuals were previously implicated in the surveillance of Yulia Skripal, daughter of former Russian intelligence officer Sergei Skripal, prior to the 2018 Novichok poisoning attempt in Salisbury, which resulted in the death of Dawn Sturgess.

“The Kremlin should be in no doubt: we see what they are trying to do in the shadows and we won’t tolerate it,” declared Foreign Secretary David Lammy. “That’s why we’re taking decisive action with sanctions against Russian spies.”

NATO has also voiced strong condemnation of Russia’s malicious cyber activities, highlighting previous attributions of attacks to Fancy Bear, including recent targeting of Western logistics and technology firms supporting Ukraine’s defense.

“Russia’s actions will not deter Allies’ support to Ukraine, including cyber assistance,” a NATO spokesperson affirmed. “We will continue to use the lessons learned from the war against Ukraine in countering Russian malicious cyber activity.”

Protecting Against the Threat

The NCSC strongly advises network defenders to prioritize monitoring for suspicious login activity and to consult the guidance available on the NCSC website for protective measures. The sophistication of Authentic Antics underscores the need for vigilance and proactive cybersecurity practices to mitigate the risks posed by state-sponsored threat actors. The agency’s detailed analysis of the malware is available for review here.