The UK’s National Cyber Security Centre (NCSC) has identified a new cyber espionage campaign attributed to Russian military intelligence operatives. According to a recent report, threat actors associated with the GRU—specifically the well-known group APT28—have been actively utilizing a previously unknown malicious software known as “Authentic Antics” to carry out targeted cyber operations against email systems.
Microsoft Outlook accounts targeted
The malware is designed with a high degree of sophistication and focuses primarily on compromising Microsoft Outlook accounts. Rather than relying on conventional phishing emails or exploit kits, Authentic Antics intertwines with the victim’s Outlook application itself. Once deployed, the malware quietly runs in the background, blending in with legitimate software processes. It periodically triggers a fake login window that closely mimics genuine Microsoft authentication prompts. When unsuspecting users enter their credentials, the malware captures not only usernames and passwords but also OAuth 2.0 tokens, which are subsequently transmitted to attacker-controlled servers.
One of the distinguishing features of Authentic Antics is its ability to send stolen data through the victim’s own Outlook account. These outbound communications are crafted in a way that they do not appear in the sent folder or raise user suspicion. In addition, all data exfiltration activities are channeled through Microsoft’s legitimate infrastructure, thereby allowing the operation to evade standard network monitoring tools.
Advanced evasion techniques
The malware uses advanced evasion techniques, including removing hooks from critical Windows system libraries such as ntdll.dll, in order to avoid detection by endpoint security tools. It also employs environmental keying to ensure it activates only within intended target environments. Elements of the malware masquerade as legitimate components of Microsoft’s Authentication Library for .NET, further complicating efforts to analyze and detect it.
APT28 and UK response
APT28, also known under aliases such as Fancy Bear, has a long history of conducting cyber-espionage activities targeting government and military sectors worldwide. It is operated by Russia’s GRU Unit 26165 and has previously been linked to campaigns aimed at disrupting democratic institutions and stealing sensitive data. The latest campaign utilizing Authentic Antics appears to align with Russia’s broader strategic objectives in cyber intelligence gathering.
In response to these developments, the UK government has issued sanctions against several GRU personnel and affiliated units, referencing their roles in persistent and malicious cyber campaigns directed at Western interests.
Organizations relying on Microsoft Outlook or cloud services are advised to take immediate action, including reviewing access logs, inspecting for anomalous use of OAuth tokens, and following up-to-date cybersecurity guidance.
