[ad_1]
The U.K.’s National Cyber Security Centre (NCSC) has formally attributed a cyber campaign using the malware ‘Authentic Antics’ to Russia’s military intelligence agency, the GRU. The attribution comes alongside U.K. sanctions targeting multiple GRU units and 18 Russian individuals involved in coordinated hybrid operations against Western nations.
The NCSC identified APT28, also known as Fancy Bear, Unit 26165, Forest Blizzard, and Blue Delta, as the hacker group behind the campaign, which has targeted Western logistics and technology sectors using the malware. The Authentic Antics malware was uncovered following a 2023 cyber incident investigated jointly by Microsoft and the NCSC-assured incident response firm NCC Group. The malware is engineered to steal login credentials and authentication tokens, granting the attackers long-term, stealthy access to victims’ email accounts. The U.K. has previously said APT 28 is part of Russia’s GRU 85th Main Special Service Centre, Military Unit 26165.
“GRU spies are running a campaign to destabilise Europe, undermine Ukraine’s sovereignty and threaten the safety of British citizens,” David Lammy, the U.K.’s Secretary of State for Foreign and Commonwealth Affairs, said in a Friday media statement. “The Kremlin should be in no doubt: we see what they are trying to do in the shadows and we won’t tolerate it. That’s why we’re taking decisive action with sanctions against Russian spies. Protecting the UK from harm is fundamental to this government’s Plan for Change.”
Lammy added that “Putin’s hybrid threats and aggression will never break our resolve. The UK and our Allies’ support for Ukraine and Europe’s security is ironclad.”
“The use of AUTHENTIC ANTICS malware demonstrates the persistence and sophistication of the cyber threat posed by Russia’s GRU,” Paul Chichester, NCSC director of operations, said. “NCSC investigations of GRU activities over many years show that network defenders should not take this threat for granted and that monitoring and protective action is essential for defending systems. We will continue to call out Russian malicious cyber activity and strongly encourage network defenders to follow advice available on the NCSC website.”
Targeting the Windows operating system, the Authentic Antics malware runs within the Outlook process and produces periodic login prompts to intercept and exfiltrate Microsoft Office account credentials and tokens. The applications that the stolen Microsoft Office credentials and tokens can be used to access are configurable per tenant, but are likely to include Exchange Online, SharePoint, and OneDrive. Authentic Antics was observed in use in 2023.
“The stealer payload is a 64-bit .NET DLL which contains functionality to generate login prompts to authenticate to Microsoft’s OAuth 2.0 Authorization server and intercept the login requests to steal credentials and OAuth 2.0 tokens,” NCSC detailed. “The stolen credential and token data is then exfiltrated by authenticating to the victim’s Outlook on the web account via the Outlook web API, with the freshly stolen token, to send an email to an actor-controlled email address. AUTHENTIC ANTICS does not directly communicate with a Command-and-Control server and cannot receive tasking.”
Designed to enable persistent endpoint access to Microsoft cloud accounts by blending in with legitimate activity, the Authentic Antics malware periodically displays a login window prompting the user to share their credentials, which are then intercepted by the malware, along with OAuth authentication tokens that allow access to Microsoft services.
The malware also exfiltrates victims’ data by sending emails from the victim’s account to an actor-controlled email address without the emails showing in the ‘sent’ folder.
The NCSC recognizes that helping U.K. organizations build resilience against cyber threats and protecting the U.K.’s national security is a vital step to secure the foundations for the government’s Plan for Change. That is why the UK has announced the largest sustained boost in defence spending since the Cold War – increasing to 2.6% of GDP by 2027. As outlined in the National Security Strategy, this marks a bold step forward, making the UK stronger and more secure by countering cyber and hybrid threats in a world that is characterised by radical uncertainty.
The French foreign ministry attributed in May a series of cyberattacks on national interests to APT28, a group linked to Russia’s military intelligence agency (GRU), and has strongly condemned its use by the Russian state. Since 2021, this attack group has been used to target or compromise a dozen French entities.
Last July, the Ukrainian Computer Emergency Response Team (CERT-UA) disclosed information about a cyberattack conducted by the UAC-0063 group, which targeted a Ukrainian scientific research institution using the Hatvibe and Cherryspy malware. The agency has identified with medium confidence that the activities of UAC-0063 are linked to those of the APT28 group (UAC-0001), which is associated with the State Department of the Armed Forces of the Russian Federation.
[ad_2]
