New! Try the FREE Predictive Security Plugin for WordPress – Scan, Secure & Stay Safe in Seconds!

Download Now
Visit TisaLabs homepage

Current CyberSecurity Advisories

UK calls out Russian military intelligence for use of espionage tool

Request a Call Back
Release date
18 July 2025
Alert rating
HIGH

Description

Cyber threat group APT 28 has been responsible for deploying a sophisticated malware against user email accounts as part of its operations.

Audience

Cyber security professionalsGovernmentLarge organisations

Current update

  • GCHQ’s National Cyber Security Centre reveals Russian military intelligence are behind use of sophisticated malware dubbed AUTHENTIC ANTICS
  • Formal attribution comes as UK Government sanctions GRU Units and 18 Russian individuals for malicious hybrid operations
  • The malware steals victims’ login details and tokens to enable long-term access to email accounts

The Government has today (18 July) exposed Russian military intelligence actors for using previously unknown malicious software to enable espionage against victim email accounts, in a move that will keep the UK and its allies safer.

The National Cyber Security Centre – a part of GCHQ – has revealed for the first time that the cyber threat group APT 28 has been responsible for deploying a sophisticated malware dubbed AUTHENTIC ANTICS as part of its operations.

The UK has previously said APT 28 is part of Russia’s GRU 85th Main Special Service Centre, Military Unit 26165. 

The attribution comes as the UK Government has today sanctioned three GRU Units: 26165, 29155 and 74455 and 18 GRU officers and agents for their part in cyber and information interference operations across the globe in support of wider Russian geopolitical and military objectives. The Strategic Defence Review identified the most acute threat as that posed by Russia.

An analysis of AUTHENTIC ANTICS by the NCSC shows how it has been specifically designed to enable persistent endpoint access to Microsoft cloud accounts by blending in with legitimate activity. 

It periodically displays a login window prompting the user to share their credentials which are then intercepted by the malware, along with OAuth authentication tokens which allow access to Microsoft services.

The malware also exfiltrates victims’ data by sending emails from the victim’s account to an actor-controlled email address without the emails showing in the ‘sent’ folder.

Helping UK organisations build resilience against cyber threats and protecting the UK’s national security is a vital step to secure the foundations for the government’s Plan for Change. 

That is why the UK has announced the largest sustained boost in defence spending since the Cold War – increasing to 2.6% of GDP by 2027. As outlined in the National Security Strategy, this marks a bold step forward making the UK stronger and more secure by countering cyber and hybrid threats, in a world that is characterised by radical uncertainty.

Foreign Secretary, David Lammy said:

“GRU spies are running a campaign to destabilise Europe, undermine Ukraine’s sovereignty and threaten the safety of British citizens.

“The Kremlin should be in no doubt: we see what they are trying to do in the shadows and we won’t tolerate it. That’s why we’re taking decisive action with sanctions against Russian spies. Protecting the UK from harm is fundamental to this government’s Plan for Change.

“Putin’s hybrid threats and aggression will never break our resolve. The UK and our Allies support for Ukraine and Europe’s security is ironclad.”

Paul Chichester, NCSC Director of Operations said: 

“The use of AUTHENTIC ANTICS malware demonstrates the persistence and sophistication of the cyber threat posed by Russia’s GRU.

“NCSC investigations of GRU activities over many years show that network defenders should not take this threat for granted and that monitoring and protective action is essential for defending systems.

“We will continue to call out Russian malicious cyber activity and strongly encourage network defenders to follow advice available on the NCSC website.”

The AUTHENTIC ANTICS malware was discovered in the aftermath of a cyber incident which was investigated by Microsoft and the NCSC-assured cyber incident response provider NCC Group in 2023. 

The NCSC has previously called out APT 28 / Unit 26165, also known in open source as Fancy Bear, Forest Blizard and Blue Delta, for targeting western logistics entities and technology companies.

The UK has also exposed Unit 29155 for carrying out digital sabotage attacks and Unit 74455, also known in open source as Sandworm, for use of the malware Cyclops Blink and the attempted attack on the Organisation for the Prohibition of Chemical Weapons in 2018.

The full report on AUTHENTIC ANTICS can be found on the NCSC’s website. Associated files relating to this report can also be found via the NCSC’s Malware Analysis Reports page. 

Today’s technical attribution and wider activity has been carried out in coordination with international partners.

The National Security Strategy 2025 called for organisations across the UK to adopt cyber security practices in line with strengthened national security. 

 

Source
https://www.ncsc.gov.uk/news/uk-call-out-russian-military-intelligence-use-espionage-tool
Back

Protect your assets with Predictive

Find out More
TisaAssist bot
🤖 Hello, how can I assist you today?
I can help you with:
✅ Answer questions related to the website.
✅ Help you understand things you don't know.
❓ What's Tisalabs
💻 What's IoT
🔒 Why sensor data must be protected?