The UK Government publicly attributed a new malware campaign to Russian military intelligence (GRU), naming the strain “AUTHENTIC ANTICS.” The announcement was made alongside sanctions targeting three GRU units and 18 individuals for conducting cyber and hybrid warfare across Europe and beyond.
The campaign has been tied to the notorious APT 28 group, a well-known threat actor also known as Fancy Bear, FOREST BLIZZARD, and Sofacy. Operatives from the 85th Main Special Service Centre (Unit 26165) managed and deployed AUTHENTIC ANTICS as part of a long-running espionage operation designed to infiltrate Microsoft cloud email accounts via Outlook.
In tandem with the attribution, the UK sanctioned GRU Units 26165, 29155, and 74455 and 18 military intelligence officers, accusing them of cyberattacks, sabotage, assassination plots, and disinformation campaigns, highlighting Russia’s “malicious hybrid operations.”
How AUTHENTIC ANTICS Works
The National Cyber Security Centre (NCSC), part of GCHQ, has delivered a detailed technical breakdown of AUTHENTIC ANTICS, describing it as both innovative and deceptively stealthy:
- Credential Theft via Fake Prompt: AUTHENTIC ANTICS triggers fake Outlook login windows that mimic genuine Microsoft authentication. Once a user enters their credentials, the malware captures both the username/password and the OAuth2 tokens, which provide long-term access to cloud services.
- Silent Email Theft: The malware silently forwards emails to attackers via the victim’s own Outlook client. These forwarded messages do not appear in the victim’s “Sent” folder, making detection more difficult.
- Blending In: AUTHENTIC ANTICS leaves minimal traces: it reuses genuine Microsoft authentication libraries, limits its disk footprint, stores artifacts in Outlook-specific registry entries, and avoids C2 infrastructure, communicating only with Microsoft services.
The National Cyber Security Centre stressed that the malware has likely been in use since at least 2023, reinforcing the GRU’s ongoing persistence and adaptability in cyber espionage.
Official Reactions
David Lammy, UK Foreign Secretary
“GRU spies are running a campaign to destabilize Europe, undermine Ukraine’s sovereignty, and threaten the safety of British citizens. The Kremlin should be in no doubt: we see what they are trying to do in the shadows, and we won’t tolerate it,” Lammy stated. He emphasized that the UK’s decisive action against Russian operatives is part of its broader “Plan for Change.”
Paul Chichester, NCSC Director of Operations
“The use of AUTHENTIC ANTICS malware demonstrates the persistence and sophistication of the cyber threat posed by Russia’s GRU. … Network defenders should not take this threat for granted, and monitoring and protective action is essential.” He added that the National Cyber Security Centre will “continue to call out Russian malicious cyber activity and strongly encourage network defenders to follow advice available on the NCSC website.”
Coordinated Defence and Cyber Strategy
The National Security Strategy 2025 calls for enhanced cyber defenses among national organizations, while the government’s Plan for Change includes increased defense spending, rising to 2.6% of GDP by 2027, to counter escalating hybrid threats.
Collaborative cybersecurity advisories from 2023 to 2024 have detailed APT 28 operations targeting critical infrastructure, western logistics, and technology entities. Their campaigns have included exploiting Cisco router vulnerabilities, phishing campaigns, and malware deployment in NATO-aligned states.
International Collaboration and Broader Context
UK officials emphasized that this operation is being conducted in coordination with international partners, including NATO. NATO has also publicly condemned the activities of the GRU and APT 28, calling for a collective defense posture against nation-state cyber threats.
Globally, APT 28’s toolset includes malware such as X-Agent, CORESHELL, and HEADLACE. The group has targeted various government institutions, media entities, energy providers, and NGOs.
Conclusion
Following the National Cyber Security Centre’s attribution of the AUTHENTIC ANTICS malware to APT 28, organizations are advised to take clear, practical steps to reduce risk. These include monitoring Microsoft authentication logs for suspicious activity, training staff to recognize fake login prompts, enabling multi-factor authentication, implementing zero-trust architecture, and keeping systems patched and updated.
