UK warns Russian Fancy Bear hackers are targeting Microsoft 365 accounts

News
By published

Western companies assisting Ukraine are being targeted

A Russian Flag over a keyboard with a golden bear
  • UK NCSC details use of a piece of Authentic Antics malware
  • It is attributed to APT28 and allegedly used against Western companies helping Ukraine
  • The UK sanctioned 20 individuals suspected of being involved

Russian cybercriminals are targeting Microsoft 365 accounts with specialized malware, the UK government's cybersecurity arm has warned.

The UK National Cyber Security Centre (NCSC) has published a new technical deep dive, detailing a “sophisticated piece of malware” called Authentic Antics, first spotted in 2023, but only now attributed to APT28 - a known, state-sponsored threat actor from Russia, working for the country’s General Staff Main Intelligence Directorate (GRU).

APT28 is also known as Fancy Bear or Forest Blizzard and has been attributed to many high-profile cyber-espionage campaigns throughout the West.

Faking Microsoft login

While the NCSC doesn’t detail how the malware gets deployed, it speculates that it’s most likely through phishing emails or malicious Outlook add-ins.

Once running on the target machine, it targets Microsoft Outlook, looking to steal login credentials and OAuth 2.0 tokens for Microsoft services such as Exchange Online, SharePoint, or OneDrive.

It works by sporadically showing fake login prompts that mimic Microsoft’s authentication windows. It uses environmental keying to make sure it only activates on specific machines, and once the victims try to log in - the information is relayed to the attackers.

For exfiltration, Authentic Antics uses the victim’s email inbox, sending the information in an email that later gets deleted from the “Sent” folder.

Authentic Antics is part of a broader cyber-espionage campaign, targeting western organizations - especially those who support Ukraine in their war effort against Russia.

While names weren’t mentioned, the NCSC did say APT28 targeted logistics and transport organizations, tech firms with access to Microsoft’s cloud services, government entities in NATO countries, and broader infrastructure such as internet-connected cameras at border crossings, used to track shipments to Ukraine.

As a result of the findings, the UK has sanctioned GRU operatives, which included three units and 18 officers, Reuters reported.

Via The Register

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.