UK uncovers novel Microsoft snooping malware, blames and sanctions GRU cyberspies
(2025/07/20)
- Reference: 1753009271
- News link: https://www.theregister.co.uk/2025/07/20/uk_microsoft_snooping_russia/
- Source link:
The UK government is warning that Russia's APT28 (also known as Fancy Bear or Forest Blizzard) has been deploying previously unknown malware to harvest Microsoft email credentials and steal access to compromised accounts.
Both the UK and the US have previously said APT28 is part of Russia's General Staff Main Intelligence Directorate (GRU) military unit [1]26165 . Friday's malware revelations - dubbed Authentic Antics by the UK - came just hours after the British government [2]sanctioned three GRU units (26165, 29155, and 74455) and several individual spies, accused of "conducting a sustained campaign of malicious cyber activity over many years."
Authentic Antics was initially discovered following a 2023 breach investigated by Microsoft and NCC Group, but today is the first time that the government has attributed it to the Russian military crew.
[3]
The malware targets the Windows operating system, running within Outlook, according to a [4]technical analysis .
[5]
[6]
Authentic Antics periodically displays a login window that prompts the user to enter their credentials, and if they do, the malware steals the data, along with OAuth authentication tokens, which allow access to Microsoft services, including Exchange Online, SharePoint, and OneDrive.
In addition, the malware exfiltrates victims' data by sending emails from the victim's account to an actor-controlled email address without the emails showing in the "sent" folder.
The use of Authentic Antics malware demonstrates the persistence and sophistication of the cyber threat posed by Russia's GRU
"The use of Authentic Antics malware demonstrates the persistence and sophistication of the cyber threat posed by Russia's GRU," the UK's National Cyber Security Centre director of operations Paul Chichester said in a [7]statement .
"NCSC investigations of GRU activities over many years show that network defenders should not take this threat for granted and that monitoring and protective action is essential for defending systems," he added.
[8]
In May, the NCSC, US National Security Agency, and several other government agencies warned that this same GRU cyber-spy unit was [9]targeting "dozens" of Western and NATO-country logistics providers, tech companies, and government orgs providing transport and foreign assistance to Ukraine.
The advisory says the snoops also targeted internet-connected cameras at border crossings to track aid shipments in an ongoing campaign that began in 2022, which is when Russia first invaded neighboring Ukraine.
[10]Russia's Fancy Bear swipes a paw at logistics, transport orgs' email servers
[11]New Russian cyber-spy crew Laundry Bear joins the email-stealing pack
[12]What a coincidence. Spyware makers, Russia's Cozy Bear seem to share same exploits
[13]So … Russia no longer a cyber threat to America?
That same year, GRU unit 26165 conducted online reconnaissance to guide missile strikes against Mariupol – including the strike that destroyed the Mariupol Theatre and [14]reportedly killed hundreds of civilians, including children.
According to the UK government, the GRU units and the officers sanctioned today also planted [15]X-Agent spyware on phones belonging to former Russian double agent Sergei Skripal and his daughter, Yulia, before reportedly [16]poisoning them with Novichok in 2018.
The GRU officers sanctioned include: Aleksandr Vladimirovich Osadchuk, Yevgeniy Mikhaylovich Serebriakov, Anatoliy Sergeyvich Kovalev, Artem Valeryvich Ochichenko, Vladislav Yevgenyevich Borovkov, Nikolay Aleksandrovich Korchagin, Yuriy Federovich Denisov, Vitaly Aleksandrovich Shevchenko, Ivan Sergeyevich Yermakov, Aleksey Viktorovich Lukashev, Sergey Sergeyevich Vasyuk, Andrey Eduardovich Baranov, Aleksey Sergeyevich Morenets, Sergey Aleksandrovich Morgachev, Artem Adreyevich Malyshev, Yuriy Leonidovich Shikolenko, Victor Borisovich Netyksho, Dmitriy Aleksandrovich Mikhaylov, Artyom Sergeevich Kureyev, Anna Sergeevna Zamaraeva, and Victor Aleksandrovich Lukovenko.
[17]
In conjunction with the UK sanctions, both the [18]EU and [19]NATO issued statements condemning Russia's malicious cyber activities and attributing recent digital intrusions and snooping campaigns to the GRU.
Microsoft says it has nothing to share, and CISA has referred us to the NCSC; we'll update if we receive any additional comment. ®
Get our [20]Tech Resources
[1] https://www.theregister.com/2025/05/21/russias_fancy_bear_alert/
[2] https://www.gov.uk/government/publications/profile-gru-cyber-and-hybrid-threat-operations/profile-gru-cyber-and-hybrid-threat-operations
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aH0SktRb7QzYP0_ObjbuiAAAANM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/authentic-antics/ncsc-mar-authentic_antics.pdf
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aH0SktRb7QzYP0_ObjbuiAAAANM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aH0SktRb7QzYP0_ObjbuiAAAANM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.ncsc.gov.uk/news/uk-call-out-russian-military-intelligence-use-espionage-tool
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aH0SktRb7QzYP0_ObjbuiAAAANM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/05/21/russias_fancy_bear_alert/
[10] https://www.theregister.com/2025/05/21/russias_fancy_bear_alert/
[11] https://www.theregister.com/2025/05/27/new_russian_cyberspy_crew_laundry_bear/
[12] https://www.theregister.com/2024/08/29/commercial_spyware_russia_mongolia/
[13] https://www.theregister.com/2025/03/04/russia_cyber_threat/
[14] https://apnews.com/article/russia-military-intelligence-sabotage-cyber-attacks-2657fe4b54d93e35f30f4ce3fc2665cb
[15] https://www.theregister.com/2018/07/16/apt28_italian_job/
[16] https://www.reuters.com/article/world/the-poisoning-of-former-russian-double-agent-sergei-skripal-idUSKCN1GP2CH/
[17] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aH0SktRb7QzYP0_ObjbuiAAAANM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[18] https://www.consilium.europa.eu/en/press/press-releases/2025/07/18/hybrid-threats-russia-statement-by-the-high-representative-on-behalf-of-the-eu-condemning-russia-s-persistent-hybrid-campaigns-against-the-eu-its-member-states-and-partners/
[19] https://www.nato.int/cps/en/natohq/official_texts_237067.htm
[20] https://whitepapers.theregister.com/
Both the UK and the US have previously said APT28 is part of Russia's General Staff Main Intelligence Directorate (GRU) military unit [1]26165 . Friday's malware revelations - dubbed Authentic Antics by the UK - came just hours after the British government [2]sanctioned three GRU units (26165, 29155, and 74455) and several individual spies, accused of "conducting a sustained campaign of malicious cyber activity over many years."
Authentic Antics was initially discovered following a 2023 breach investigated by Microsoft and NCC Group, but today is the first time that the government has attributed it to the Russian military crew.
[3]
The malware targets the Windows operating system, running within Outlook, according to a [4]technical analysis .
[5]
[6]
Authentic Antics periodically displays a login window that prompts the user to enter their credentials, and if they do, the malware steals the data, along with OAuth authentication tokens, which allow access to Microsoft services, including Exchange Online, SharePoint, and OneDrive.
In addition, the malware exfiltrates victims' data by sending emails from the victim's account to an actor-controlled email address without the emails showing in the "sent" folder.
The use of Authentic Antics malware demonstrates the persistence and sophistication of the cyber threat posed by Russia's GRU
"The use of Authentic Antics malware demonstrates the persistence and sophistication of the cyber threat posed by Russia's GRU," the UK's National Cyber Security Centre director of operations Paul Chichester said in a [7]statement .
"NCSC investigations of GRU activities over many years show that network defenders should not take this threat for granted and that monitoring and protective action is essential for defending systems," he added.
[8]
In May, the NCSC, US National Security Agency, and several other government agencies warned that this same GRU cyber-spy unit was [9]targeting "dozens" of Western and NATO-country logistics providers, tech companies, and government orgs providing transport and foreign assistance to Ukraine.
The advisory says the snoops also targeted internet-connected cameras at border crossings to track aid shipments in an ongoing campaign that began in 2022, which is when Russia first invaded neighboring Ukraine.
[10]Russia's Fancy Bear swipes a paw at logistics, transport orgs' email servers
[11]New Russian cyber-spy crew Laundry Bear joins the email-stealing pack
[12]What a coincidence. Spyware makers, Russia's Cozy Bear seem to share same exploits
[13]So … Russia no longer a cyber threat to America?
That same year, GRU unit 26165 conducted online reconnaissance to guide missile strikes against Mariupol – including the strike that destroyed the Mariupol Theatre and [14]reportedly killed hundreds of civilians, including children.
According to the UK government, the GRU units and the officers sanctioned today also planted [15]X-Agent spyware on phones belonging to former Russian double agent Sergei Skripal and his daughter, Yulia, before reportedly [16]poisoning them with Novichok in 2018.
The GRU officers sanctioned include: Aleksandr Vladimirovich Osadchuk, Yevgeniy Mikhaylovich Serebriakov, Anatoliy Sergeyvich Kovalev, Artem Valeryvich Ochichenko, Vladislav Yevgenyevich Borovkov, Nikolay Aleksandrovich Korchagin, Yuriy Federovich Denisov, Vitaly Aleksandrovich Shevchenko, Ivan Sergeyevich Yermakov, Aleksey Viktorovich Lukashev, Sergey Sergeyevich Vasyuk, Andrey Eduardovich Baranov, Aleksey Sergeyevich Morenets, Sergey Aleksandrovich Morgachev, Artem Adreyevich Malyshev, Yuriy Leonidovich Shikolenko, Victor Borisovich Netyksho, Dmitriy Aleksandrovich Mikhaylov, Artyom Sergeevich Kureyev, Anna Sergeevna Zamaraeva, and Victor Aleksandrovich Lukovenko.
[17]
In conjunction with the UK sanctions, both the [18]EU and [19]NATO issued statements condemning Russia's malicious cyber activities and attributing recent digital intrusions and snooping campaigns to the GRU.
Microsoft says it has nothing to share, and CISA has referred us to the NCSC; we'll update if we receive any additional comment. ®
Get our [20]Tech Resources
[1] https://www.theregister.com/2025/05/21/russias_fancy_bear_alert/
[2] https://www.gov.uk/government/publications/profile-gru-cyber-and-hybrid-threat-operations/profile-gru-cyber-and-hybrid-threat-operations
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aH0SktRb7QzYP0_ObjbuiAAAANM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/authentic-antics/ncsc-mar-authentic_antics.pdf
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aH0SktRb7QzYP0_ObjbuiAAAANM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aH0SktRb7QzYP0_ObjbuiAAAANM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.ncsc.gov.uk/news/uk-call-out-russian-military-intelligence-use-espionage-tool
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aH0SktRb7QzYP0_ObjbuiAAAANM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/05/21/russias_fancy_bear_alert/
[10] https://www.theregister.com/2025/05/21/russias_fancy_bear_alert/
[11] https://www.theregister.com/2025/05/27/new_russian_cyberspy_crew_laundry_bear/
[12] https://www.theregister.com/2024/08/29/commercial_spyware_russia_mongolia/
[13] https://www.theregister.com/2025/03/04/russia_cyber_threat/
[14] https://apnews.com/article/russia-military-intelligence-sabotage-cyber-attacks-2657fe4b54d93e35f30f4ce3fc2665cb
[15] https://www.theregister.com/2018/07/16/apt28_italian_job/
[16] https://www.reuters.com/article/world/the-poisoning-of-former-russian-double-agent-sergei-skripal-idUSKCN1GP2CH/
[17] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aH0SktRb7QzYP0_ObjbuiAAAANM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[18] https://www.consilium.europa.eu/en/press/press-releases/2025/07/18/hybrid-threats-russia-statement-by-the-high-representative-on-behalf-of-the-eu-condemning-russia-s-persistent-hybrid-campaigns-against-the-eu-its-member-states-and-partners/
[19] https://www.nato.int/cps/en/natohq/official_texts_237067.htm
[20] https://whitepapers.theregister.com/
elsergiovolador
At this point, UK cyber defence feels less like a national security apparatus and more like a stamp-collecting club.
Russia deploys military-grade malware, and the response? Give it a cute codename, file it under “Very Serious Threats,” and blast out a press release like they’ve just won a science fair.
No arrests, no retaliation, no meaningful disruption - just glossy PDFs and statements about "persistence and sophistication" as if admiration were a countermeasure.
Expensive, taxpayer-funded theatre.
Correction
m4r35n357
. . ."an ongoing campaign that began in 2022, which is when Russia _again_ invaded neighbouring (sp) Ukraine.
Aww tentic
elsergiovolador
Another flashy name - “Authentic Antics” - because if there’s one thing Britain’s security services excel at, it’s branding malware like craft beers while doing sod all to stop it. GRU operatives are looting inboxes, tracking aid convoys, and helping coordinate missile strikes on civilians, and what do we get? A stern press release and a round of symbolic sanctions five years too late.
The UK's cyber response strategy seems to be: watch Russia commit war crimes in real time, give the malware a catchy codename, and then leak a strongly worded PDF to the press while nodding solemnly.
Call it what it is: institutionalised bystanderism, rebranded as vigilance.
MS is a ripe target for the KGB/GRU/etc
Steve Davies 3
Isn't it time to ditch MS entirely all in the interests of 'National Security' of course.
Trumpistan is very keen on playing that card so why can't we? (ok answers on a pin-head in 25pt Garamond)
In real practical terms exactly what do these sanctions do? As opposed to generating press releases?