UK calls out Russian military intelligence for use of espionage tool

The National Cyber Security Centre (NCSC) – itself part of GCHQ – has revealed for the first time that the cyber threat group APT 28 has been responsible for deploying a sophisticated malware dubbed AUTHENTIC ANTICS as part of its operations. The UK has previously said APT 28 is part of Russia’s GRU 85th Main Special Service Centre, Military Unit 26165.

The attribution comes as the Government has sanctioned three GRU Units (26165, 29155 and 74455) and 18 GRU officers and agents for their part in cyber and information interference operations across the globe in support of wider Russian geopolitical and military objectives. The Strategic Defence Review identified the most acute threat as that posed by Russia.

An analysis of AUTHENTIC ANTICS by the NCSC shows how the latter has been specifically designed to enable persistent endpoint access to Microsoft cloud accounts by blending in with legitimate activity.

It periodically displays a login window prompting the user to share their credentials, which are then intercepted by the malware, along with OAuth authentication tokens allowing access to Microsoft services.

The malware also exfiltrates victims’ data by sending e-mails from the victim’s account to an actor-controlled e-mail address without the e-mails showing in the ‘sent’ folder.

Helping UK organisations to build resilience against cyber threats and protecting the UK’s national security are vital step to secure the foundations for the Government’s Plan for Change.

That is why the UK has announced the largest sustained boost in defence spending since the Cold War, increasing to 2.6% of GDP by 2027. As outlined in the National Security Strategy, this marks a bold step forward, making the UK stronger and more secure by countering cyber and hybrid threats in a world that’s characterised by radical uncertainty.

Threat to safety

Foreign Secretary, David Lammy said: “GRU spies are running a campaign in a bid to destabilise Europe, undermine Ukraine’s sovereignty and threaten the safety of British citizens. The Kremlin should be in no doubt: we see what they are trying to do in the shadows and we will not tolerate it. That’s why we’re taking decisive action with sanctions against Russian spies. Protecting the UK from harm is fundamental to this Government’s Plan for Change.”

Lammy added: “Putin’s hybrid threats and aggression will never break our resolve. The UK’s and its allies support for Ukraine and Europe’s security is ironclad.”

Paul Chichester, director of operations at the NCSC, stated: “The use of AUTHENTIC ANTICS malware demonstrates the persistence and sophistication of the cyber threat posed by Russia’s GRU. The NCSC’s investigations of GRU activities over many years show that network defenders should not take this threat for granted and that monitoring and protective action will be essential for defending systems.”

Further, Chichester observed: “We will continue to call out Russian malicious cyber activity and strongly encourage network defenders to follow the advice that’s available on the NCSC’s website.”

Cyber incident

The AUTHENTIC ANTICS malware was discovered in the aftermath of a cyber incident investigated by Microsoft and the NCSC-assured cyber incident response provider NCC Group back in 2023.

The NCSC has previously called out APT 28/Unit 26165, also known in open source as Fancy Bear, Forest Blizard and Blue Delta, for targeting western logistics entities and technology companies.

The UK has also exposed Unit 29155 for carrying out digital sabotage attacks and Unit 74455, also known in open source as Sandworm, for use of the Cyclops Blink malware and the attempted attack on the Organisation for the Prohibition of Chemical Weapons in 2018.

The National Security Strategy 2025 has called for organisations across the UK to adopt cyber security practices in line with strengthened national security.