The United Kingdom has imposed sanctions on Russian military intelligence units and 18 individuals following the exposure of a sophisticated cyber espionage campaign targeting Microsoft cloud services. The National Cyber Security Centre (NCSC) revealed that the Russian Advanced Persistent Threat group APT28 deployed previously unknown malware called AUTHENTIC ANTICS to steal login credentials and maintain persistent access to victim email accounts.
AUTHENTIC ANTICS Targets Microsoft Cloud Environment
The AUTHENTIC ANTICS malware represents a significant evolution in Russian cyber capabilities, specifically designed to target Microsoft cloud environments through sophisticated credential harvesting techniques. According to the NCSC’s technical analysis, the malware operates by periodically displaying legitimate-looking login windows that prompt users to enter their credentials. Once captured, these credentials are intercepted alongside OAuth authentication tokens, which provide the attackers with extended access to Microsoft services without triggering traditional security alerts.
The malware’s stealth capabilities extend beyond simple credential theft. AUTHENTIC ANTICS can exfiltrate sensitive data by automatically sending emails from compromised accounts to actor-controlled addresses while ensuring these messages never appear in the victim’s sent folder. This technique allows for covert data extraction that can remain undetected for extended periods, enabling long-term intelligence gathering operations.
UK’s Response and Sanctions
In response to these cyber activities, the UK has imposed comprehensive sanctions against three GRU units: 26165, 29155, and 74455, along with 18 GRU officers and agents involved in global cyber and information interference operations. Foreign Secretary David Lammy emphasized that these measures demonstrate the UK’s commitment to countering Russian hybrid threats, stating that “GRU spies are running a campaign to destabilise Europe, undermine Ukraine’s sovereignty and threaten the safety of British citizens.”
This attribution aligns with the Strategic Defence Review’s identification of Russia as the most acute threat facing the UK. The government has announced the largest sustained boost in defence spending since the Cold War, increasing to 2.6% of GDP by 2027 as part of efforts to counter cyber and hybrid threats.
APT28’s Broader Cyber Activities
APT28, also known in open source communities as Fancy Bear, Forest Blizzard, and Blue Delta, operates as part of Russia’s GRU 85th Main Special Service Centre, Military Unit 26165. The group has been linked to numerous high-profile cyber operations, including the 2016 Democratic National Committee hack and disinformation campaigns aimed at destabilizing various regions.
The NCSC’s investigation confirms that APT28’s use of AUTHENTIC ANTICS malware demonstrates the persistence and sophistication of the cyber threat posed by Russia’s GRU. The malware discovery emerged from a cyber incident investigated by Microsoft and NCC Group in 2023, highlighting the importance of public-private cybersecurity partnerships. The UK’s technical attribution has been coordinated with international partners, reinforcing collective defense against Russian cyber operations targeting critical infrastructure and democratic institutions across Europe and beyond.
