UK ties GRU to stealthy Microsoft 365 credential-stealing malware

The UK National Cyber Security Centre (NCSC) has formally attributed ‘Authentic Antics’ espionage malware attacks to APT28 (Fancy Bear), a threat actor already linked to Russia’s military intelligence service (GRU).

The NCSC revealed in a detailed technical analysis of the Authentic Antics malware dated May 6th that it is stealing credentials and OAuth 2.0 tokens that allow access to a target’s email account.

The malware was observed in use in 2023 and runs inside the Outlook process and produces multiple Microsoft login prompts in its attempts to intercept the victim’s sign-in data and authorization code.

The agency says that because Microsoft 365 apps are configurable per tenant, it is possible that sensitive data also works for Exchange Online, SharePoint, and OneDrive.

Authentic Antics exfiltrates the stolen data by using the victim’s own Outlook account to send it to an attacker-controlled email address, and hides the operation by disabling the “save to sent” option.

Authentic Antics consists of multiple components that include a dropper, an infostealer, and several PowerShell scripts.

The UK cyber agency says that Authentic Antics has a high level of sophistication that allows it to provide access to victim email accounts for long periods without being detected.

This is possible because the malware’s network communication is only with legitimate services. Furthermore, since it sends the victim’s email messages automatically to the attacker, it does not require a command-and-control (C2) server to receive tasks.

“Its presence on disk is limited, data is stored in Outlook specific registry locations,” the NCSC experts say in the technical analysis.

Attribution and sanctions

The NCSC did make any attribution for Authentic Antics but the agency announced today that it found evidence that links the malware to the APT28 state group, also known as Fancy Bear, Sednit, Sofacy, Pawn Storm, STRONTIUM, Tsar Team, and Forest Blizzard.

“The Government has today (July 18) exposed Russian military intelligence actors for using previously unknown malicious software to enable espionage against victim email accounts, in a move that will keep the UK and its allies safer,” UK’s NCSC says.

“The National Cyber Security Centre – a part of GCHQ – has revealed for the first time that the cyber threat group APT 28 has been responsible for deploying a sophisticated malware dubbed AUTHENTIC ANTICS as part of its operations.”

This attribution has also led to the UK Government sanctioning three GRU units (26165, 29155, and 74455) and 18 Russian individuals involved in these and other related campaigns.

UK officials condemned GRU agents for conducting hybrid operations aimed at destabilizing Europe and endangering British citizens, also commending that the deployment of Authentic Antics reflects a growing sophistication for the Russian intelligence service.

At the same time, they underlined NCSC’s commitment to exposing these cyber activities and sanctioning the responsible parties.

Authentic Antics has been used in attacks since