The UK Government has formally attributed a newly identified cyber espionage tool to Russian military intelligence.
According to GCHQ’s National Cyber Security Centre (NCSC), the malware, named AUTHENTIC ANTICS, has been used by the cyber threat group APT 28, part of the GRU’s 85th Main Special Service Centre (Military Unit 26165).
The attribution was announced alongside new sanctions targeting three GRU units—26165, 29155 and 74455—and 18 named Russian intelligence officers and agents. The sanctions relate to cyber and information interference activities intended to support Russian geopolitical and military goals.
An NCSC analysis found that AUTHENTIC ANTICS is designed to provide persistent access to Microsoft cloud services by stealing user credentials and authentication tokens. The malware periodically displays a login prompt to harvest credentials and exfiltrates data by sending messages from the victim’s email account to actor-controlled inboxes. These actions are carried out in a way that avoids detection by excluding the emails from the user’s sent folder.
Paul Chichester, Director of Operations at the NCSC, said: “The use of AUTHENTIC ANTICS malware demonstrates the persistence and sophistication of the cyber threat posed by Russia’s GRU. NCSC investigations of GRU activities over many years show that network defenders should not take this threat for granted and that monitoring and protective action is essential for defending systems.”
The malware was uncovered following a 2023 cyber incident investigated jointly by Microsoft and NCC Group, an NCSC-assured cyber incident response provider.
Foreign Secretary David Lammy said: “GRU spies are running a campaign to destabilise Europe, undermine Ukraine’s sovereignty and threaten the safety of British citizens. The Kremlin should be in no doubt: we see what they are trying to do in the shadows and we will not tolerate it. That is why we are taking decisive action with sanctions against Russian spies. Protecting the UK from harm is fundamental to this government’s Plan for Change.”
APT 28 has been previously identified in open-source reporting as Fancy Bear, Forest Blizzard and Blue Delta. NCSC has previously linked the group to cyber operations against Western logistics firms and technology companies. Unit 29155 has been associated with sabotage operations, while Unit 74455, also known as Sandworm, has been linked to the 2018 attempted cyber attack on the Organisation for the Prohibition of Chemical Weapons and the deployment of Cyclops Blink malware.
The NCSC has published a detailed technical report on AUTHENTIC ANTICS and associated files on its Malware Analysis Reports page. This attribution is part of broader UK efforts to counter Russian hybrid threats and follows coordination with international partners.
Do we not retaliate in kind?