The UK’s National Cyber Security Centre (NCSC) has officially attributed a series of hostile cyber attacks to Russian-state operated advanced persistent threat (APT) group Fancy Bear, using malware known as Authentic Antics.
Authentic Antics is specifically designed to steal login credentials and tokens for victims’ email accounts, enabling Russian cyber spies to gain long-term access to their surveillance targets. Fancy Bear, also known as APT28, operates under the 85th Main Special Service Centre, Military Unit 26165, ultimately reporting to the GRU, a successor intelligence agency to the KGB.
NCSC operations director Paul Chichester emphasized the persistence and sophistication of the Russian cyber threat posed by the GRU through the use of Authentic Antics malware. The NCSC urges network defenders to remain vigilant and take necessary monitoring and protective actions to defend systems against such threats.
Working with NCC Group, experts at the NCSC conducted a detailed analysis of Authentic Antics, which blends in with legitimate activities to maintain persistent access to Microsoft cloud accounts for Fancy Bear. This malware has been in use since around 2023, primarily targeting Microsoft Outlook processes to intercept credentials and authentication tokens.
Authentic Antics cleverly exploits users’ familiarity with Microsoft authentication prompts, making it challenging to detect. It does not communicate with any command and control infrastructure, making it harder to identify when active. The malware exfiltrates data by sending emails from compromised accounts to Fancy Bear-controlled addresses, without showing up in the victim’s sent items folder.
The NCSC highlighted the meticulous design of Authentic Antics to blend in with normal activities, including limited presence on disk, storage in Outlook-specific registry locations, and the incorporation of genuine Microsoft authentication library code for obfuscation.
In addition to the attribution of cyber attacks to Fancy Bear, the NCSC announced broader sanctions against three GRU Units and 18 officers and agents involved in cyber and information interference operations supporting Russia’s geopolitical and military objectives. Foreign secretary David Lammy condemned GRU spies for destabilizing Europe, undermining Ukraine’s sovereignty, and threatening British citizens.
Nato also condemned Russia’s malicious cyber activities, urging the country to cease its destabilizing actions. The alliance reaffirmed its support for Ukraine, including cyber assistance, and vowed to counter Russian malicious cyber activity using lessons learned from the conflict in Ukraine.
