Recent cyberattacks deploying the potent Authentic Antics malware tool to target Microsoft cloud accounts were the handiwork of the notorious Russian Fancy Bear hacking group, the UK’s National Cyber Security Centre (NCSC) has said.
Authentic Antics was discovered after a cyberattack in 2023 which prompted an NCSC technical teardown of the malware that it published in May this year. The agency has now confirmed everybody’s suspicions by formally attributing the platform to Russia’s GRU 26165 military intelligence unit, better known as Fancy Bear or APT 28.
However, where most reports on espionage tend to gloss over details, the NCSC’s latest report offers an unusual level of background on the alleged Fancy Bear operations and the Russian operatives behind them.
In total, 18 intelligence officers and commanders are named and financially sanctioned by the NCSC across GRU Units 29155 and 74455, in addition to 26165 itself.
A ‘campaign to destabilize Europe’
Fancy Bear became a household name in the West for attacks such as the 2016 leak of World Anti-Doping Agency (WADA) athlete data and a similar data breach at the US Democratic National Committee (DNC) during the presidential election in the same year.
According to the NCSC, the unit has conducted numerous attacks since then, including the targeting of the email accounts of Yulia and Sergei Skripal which assisted in their attempted murder in 2018.
“GRU spies are running a campaign to destabilize Europe, undermine Ukraine’s sovereignty, and threaten the safety of British citizens,” commented UK Foreign Secretary David Lammy.
“The Kremlin should be in no doubt: we see what they are trying to do in the shadows, and we won’t tolerate it. That’s why we’re taking decisive action with sanctions against Russian spies. Protecting the UK from harm is fundamental to this government’s Plan for Change,” he added.
How dangerous is Authentic Antics?
Like all nation-state cyber tools, Authentic Antics is good at what it is designed to do, in this case steal Microsoft Office account credentials via fake login prompts or by nabbing OAuth 2.0 tokens.
The malware employs a range of techniques to evade detection, including communicating using legitimate services and exfiltrating stolen data from hacked accounts by sending innocent-looking emails.
“There is no traditional command and control implemented which may have increased the likelihood of it being detected,” noted May’s NCSC analysis.
The bad news, then, is that it’s very hard to detect. The good news is, it’s also likely only used against specific targets, which means it’s unlikely to be widely deployed. However, there is still no harm in studying the indicators of compromise (IOCs) documented by the NCSC or applying YARA rules on endpoint protection platforms.
Outing a bear
Why make such a fuss about Fancy Bear, Russian GRU units, named operatives, and advanced hacking tools?
Beyond the obvious need to warn the world about these activities, the revelations illustrate a form of information warfare that was pioneered by the US over the last decade, against China in particular. This tactic holds that one way to counter nation state espionage is to name names, sanctioning real people, which blows away the mystique that often surrounds some of these groups, especially when given inscrutable designations such as Fancy Bear or APT 28.
It also puts the enemy on notice that its tools are known, requiring opponents to expend effort developing new ones.