- UK NCSC details use of a piece of Authentic Antics malware
- It is attributed to APT28 and allegedly used against Western companies helping Ukraine
- The UK sanctioned 20 individuals suspected of being involved
Russian cybercriminals are targeting Microsoft 365 accounts with specialized malware, the UK government’s cybersecurity arm has warned.
The UK National Cyber Security Centre (NCSC) has published a new technical deep dive, detailing a “sophisticated piece of malware” called Authentic Antics, first spotted in 2023, but only now attributed to APT28 – a known, state-sponsored threat actor from Russia, working for the country’s General Staff Main Intelligence Directorate (GRU).
APT28 is also known as Fancy Bear or Forest Blizzard and has been attributed to many high-profile cyber-espionage campaigns throughout the West.
Faking Microsoft login
While the NCSC doesn’t detail how the malware gets deployed, it speculates that it’s most likely through phishing emails or malicious Outlook add-ins.
Once running on the target machine, it targets Microsoft Outlook, looking to steal login credentials and OAuth 2.0 tokens for Microsoft services such as Exchange Online, SharePoint, or OneDrive.
It works by sporadically showing fake login prompts that mimic Microsoft’s authentication windows. It uses environmental keying to make sure it only activates on specific machines, and once the victims try to log in – the information is relayed to the attackers.
For exfiltration, Authentic Antics uses the victim’s email inbox, sending the information in an email that later gets deleted from the “Sent” folder.
Authentic Antics is part of a broader cyber-espionage campaign, targeting western organizations – especially those who support Ukraine in their war effort against Russia.
While names weren’t mentioned, the NCSC did say APT28 targeted logistics and transport organizations, tech firms with access to Microsoft’s cloud services, government entities in NATO countries, and broader infrastructure such as internet-connected cameras at border crossings, used to track shipments to Ukraine.
As a result of the findings, the UK has sanctioned GRU operatives, which included three units and 18 officers, Reuters reported.
Via The Register
