UK Sanctions Russian APT 28 Hackers for Attacking Microsoft Cloud Service Login Details

The UK Government has imposed sanctions on Russian military intelligence units and 18 individuals following the exposure of a sophisticated cyber espionage campaign targeting Microsoft cloud services. 

The National Cyber Security Centre (NCSC) revealed that the Russian Advanced Persistent Threat group APT 28 deployed previously unknown malware called AUTHENTIC ANTICS to steal login credentials and maintain persistent access to victim email accounts.

Key Takeaways
1. UK sanctions Russian GRU units and 18 individuals for Microsoft cloud cyber attacks.
2. AUTHENTIC ANTICS malware steals login credentials through fake login windows.
3. UK boosts defense spending to 2.6% GDP to counter Russian threats.

AUTHENTIC ANTICS Targets Microsoft Cloud Environment

The AUTHENTIC ANTICS malware represents a significant evolution in Russian cyber capabilities, specifically designed to target Microsoft cloud environments through sophisticated credential harvesting techniques. 

According to the NCSC’s technical analysis, the malware operates by periodically displaying legitimate-looking login windows that prompt users to enter their credentials. 

Once captured, these credentials are intercepted alongside OAuth authentication tokens, which provide the attackers with extended access to Microsoft services without triggering traditional security alerts.

The malware’s stealth capabilities extend beyond simple credential theft. AUTHENTIC ANTICS can exfiltrate sensitive data by automatically sending emails from compromised accounts to actor-controlled addresses while ensuring these messages never appear in the victim’s sent folder. 

This technique allows for covert data extraction that can remain undetected for extended periods, enabling long-term intelligence gathering operations.

The UK’s response includes comprehensive sanctions against three GRU units: 26165, 29155, and 74455, along with 18 GRU officers and agents involved in global cyber and information interference operations. 

Foreign Secretary David Lammy emphasized that these measures demonstrate the UK’s commitment to countering Russian hybrid threats, stating that “GRU spies are running a campaign to destabilise Europe, undermine Ukraine’s sovereignty and threaten the safety of British citizens”.

This attribution aligns with the Strategic Defence Review’s identification of Russia as the most acute threat facing the UK. 

The government has announced the largest sustained boost in defence spending since the Cold War, increasing to 2.6% of GDP by 2027 as part of efforts to counter cyber and hybrid threats.

The NCSC’s investigation confirms that APT 28, also known in open source communities as Fancy Bear, Forest Blizzard, and Blue Delta, operates as part of Russia’s GRU 85th Main Special Service Centre, Military Unit 26165. 

Paul Chichester, NCSC Director of Operations, noted that “the use of AUTHENTIC ANTICS malware demonstrates the persistence and sophistication of the cyber threat posed by Russia’s GRU”.

The malware discovery emerged from a cyber incident investigated by Microsoft and NCC Group in 2023, highlighting the importance of public-private cybersecurity partnerships. 

The UK’s technical attribution has been coordinated with international partners, reinforcing collective defense against Russian cyber operations targeting critical infrastructure and democratic institutions across Europe and beyond.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now