The UK’s National Cyber Security Centre (NCSC) has issued a formal notice attributing a series of hostile cyber attacks using a variety of malware dubbed Authentic Antics to Russian-state operated advanced persistent threat (APT) group Fancy Bear.
Authentic Antics is designed to steal login credentials and tokens for its victims email accounts, allowing Russian cyber spies to establish long-term access to their surveillance targets.
Fancy Bear, which goes by APT28 in some threat matrices, is operated as part of the 85th Main Special Service Centre, Military Unit 26165, and ultimately answers to the GRU, a successor intelligence agency to the KGB of Cold War legend.
“The use of Authentic Antics malware demonstrates the persistence and sophistication of the cyber threat posed by Russia’s GRU,” said NCSC operations director Paul Chichester.
“NCSC investigations of GRU activities over many years show that network defenders should not take this threat for granted and that monitoring and protective action is essential for defending systems.
“We will continue to call out Russian malicious cyber activity and strongly encourage network defenders to follow advice available on the NCSC website,” said Chichester.
Working with NCC Group, which provided samples of Authentic Antics, the NCSC’s experts have conducted a lengthy analysis of the malware – this can be read in full here – which blends in with everyday, legitimate activity to enable Fancy Bear to maintain persistent endpoint access to Microsoft cloud accounts.
The malware has been widely used since about 2023, and runs within Microsoft Outlook processes where it displays malicious login prompts to its target in order to get them to enter their credentials, which are then intercepted along with OAuth 2.0 authentication tokens for various applications, likely including Exchange Online, SharePoint and OneDrive.
The NCSC said it had been cleverly designed to exploit growing familiarity among end-users with genuine Microsoft authentication prompts, including generating prompts from within Outlook processes, and ensuring they do not display too frequently.
Authentic Antics does not communicate with any command and control (C2) infrastructure and cannot receive additional tasking. It talks only to legitimate services, meaning that when it is active it is much harder to pick out – for example it exfiltrates its victims’ data by sending emails from the compromised account to an email address controlled by Fancy Bear – these sent emails do not show up in the victim’s sent items folder.
The agency said that “significant thought” had gone into Authentic Antics’ design to ensure it blends in with normal activity. Among other things, its presence on disk is limited, it stores data in Outlook-specific registry locations, and its codebase includes genuine Microsoft authentication library code as an obfuscation method.
“It is clear the intention of the malware is to gain persistent access to victim email accounts. This highlights the benefit of monitoring your tenant for suspicious logins,” said the NCSC’s analysts.
Sanctions
The attribution comes alongside the announcement of wider sanctions against three GRU Units – including Unit 26165 – and 18 officers and agents who allegedly run cyber and information interference operations in support of Russia’s geopolitical and military objectives.
Among those sanctioned are GRU military intelligence officers who targeted and surveilled the device of Yulia Skripal, daughter of double agent Sergei Skripal, prior to the infamously botched Novichok poisoning attempt against them in 2018 that claimed the life of a British national, Dawn Sturgess.
“GRU spies are running a campaign to destabilise Europe, undermine Ukraine’s sovereignty and threaten the safety of British citizens,” said foreign secretary David Lammy.
“The Kremlin should be in no doubt: we see what they are trying to do in the shadows and we won’t tolerate it. That’s why we’re taking decisive action with sanctions against Russian spies.
Speaking in support of the UK’s actions, a Nato spokesperson condemned Russia’s ongoing malicious cyber activities, noting other attributions made to Fancy Bear, which earlier this year was called out for targeting Western logistics and technology organisations involved in supporting the defence of Ukraine.
“We call on Russia to stop its destabilising cyber and hybrid activities. These activities demonstrate Russia’s disregard for the United Nations framework for responsible state behaviour in cyberspace, which Russia claims to uphold,” a spokesperson said.
“Russia’s actions will not deter Allies’ support to Ukraine, including cyber assistance through the Tallinn Mechanism and IT capability coalition. We will continue to use the lessons learned from the war against Ukraine in countering Russian malicious cyber activity.”
