A notorious Russian military hacking operation was spotted using a new set of state-of the-art malware tools targeting victim email accounts.The National Cyber Security Centre (NCSC) branch of the UK's Government Communications Headquarters (GCHQ) intelligence agency said that the APT 28 group, aka Fancy Bear, is using what is described as a “sophisticated” suite of tools known as “Authentic Antics."Designed as an infostealer specifically targeting Microsoft Windows systems, the malware sits on the host machine and looks to hide its activity amidst legitimate Windows system processes. While doing that, the Authentic Antics malware occasionally serves the target with Windows login-prompts.In addition to targeting local account credentials, the malware looks to access Windows OAuth tokens that could allow the attackers to log into other Windows-hosted services and accounts.The tactics are appear to be an effort to establish persistent access on infected machines, enabling the threat actors to maintain the ability to remotely access PCs and services even when the system has been restarted and the initial malware processes terminated.“The malware also exfiltrates victims’ data by sending emails from the victim’s account to an actor-controlled email address without the emails showing in the ‘sent’ folder,” NCSC said in its report on the malware.The NCSC also provided a technical document including signatures and indicators of compromise for network administrators and security vendors.APT 28 is hardly a newcomer in the threat actor space. Various iterations of the group's activities date back more than a decade and are linked to a number of high-profile attacks on government and private-sector countries primarily in the West.Most recently, the group has undertaken network infiltration and disruption operations against the Ukraine and various NATO member states as part of an effort support Russia's invasion of Ukraine.Though this malware disclosure was performed by the UK, it is highly likely that Authentic Antics deployments are in use against multiple targets in Europe and North America.The group’s efforts aligning directly with the interests of Russia’s military intelligence operations is no mere coincidence. Researchers and intelligence agencies have long known that APT28 takes its marching orders directly from Russian intelligence via the GRU 85th Main Special Service Centre.In addition to sounding the alarm on the new Authentic Antics malware, GCHQ said that it wants to limit APT28 by imposing financial sanctions against three GRU military units connected to the operation: units 26165, 29155 and 74455. Authorities also sanctioned 18 military officers and officials believed to be associated with the group.“The Kremlin should be in no doubt: we see what they are trying to do in the shadows and we won’t tolerate it,” UK General Secretary David Lammy said of the sanctions.“That’s why we’re taking decisive action with sanctions against Russian spies.”
Malware, Threat Intelligence, Endpoint/Device Security
Russian hackers using sophisticated ‘Authentic Antics’ malware, UK says
(Adobe Stock)
Shaun Nichols
A career IT news journalist, Shaun has spent 17 years covering the industry with a specialty in the cybersecurity field.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds