Skip to content

British authorities expose new Microsoft espionage malware, accuse and enforce sanctions on GRU hackers

Aggressor Group "Fancy Bear" Continues to Intrude on Outlook Email Accounts

UK Discovers New Microsoft Spyware, Accuses and Penalizes GRU Cyber Spies
UK Discovers New Microsoft Spyware, Accuses and Penalizes GRU Cyber Spies

British authorities expose new Microsoft espionage malware, accuse and enforce sanctions on GRU hackers

**Current Status and Capabilities of Russia's APT28 (Fancy Bear or Forest Blizzard)**

In the realm of cyber espionage, APT28, also known as Fancy Bear or Forest Blizzard, remains a significant and persistent threat. This sophisticated group, linked to Russia's GRU unit 26165, has been active since at least 2004, carrying out persistent cyber attacks against various targets, including Ukraine and organisations supporting Ukraine in its war effort against Russia.

Recently, APT28 has developed advanced malware, such as Authentic Antics, which targets Windows systems and Outlook inboxes. This malware steals Microsoft email credentials and OAuth authentication tokens, granting access to Microsoft services like Exchange Online, SharePoint, and OneDrive.

Another significant development is the use of LameHug malware, which employs AI-generated commands. This malware targets Ukrainian government officials and utilises legitimate cloud services like Alibaba Cloud's LLM for data harvesting.

**Capabilities**

APT28 demonstrates a high level of sophistication in malware deployment. They are capable of deploying advanced malware like Authentic Antics and LameHug. Authentic Antics can display fake login windows to capture credentials, while LameHug uses AI to generate dynamic commands for data harvesting.

The group has also shown the ability to exploit email services by sending emails from compromised accounts without visible trace in the "sent" folder, and it can access cloud services like OneDrive and SharePoint using stolen OAuth tokens.

APT28 is adaptable and innovative, leveraging zero-day vulnerabilities and weaponising legitimate cloud services to evade detection. Their targeting strategy primarily focuses on government officials, organisations supporting Ukraine, and critical infrastructure facilities, reflecting their strategic focus on geopolitical objectives.

**Recent Activities**

APT28 has been involved in recent campaigns targeting Ukrainian companies and Western logistics firms aiding Ukraine. These campaigns have employed tactics like zero-day exploits and phishing.

The UK government has sanctioned specific GRU units and individuals associated with APT28 for their malicious cyber activities. In 2018, GRU unit 26165 is believed to have planted X-Agent spyware on phones belonging to former Russian double agent Sergei Skripal and his daughter, Yulia, before reportedly poisoning them with Novichok.

The UK's National Cyber Security Centre (NCSC) has warned that network defenders should not take this threat for granted and that monitoring and protective action is essential for defending systems. The US and UK have previously identified APT28 as being associated with Russia's GRU.

Currently, APT28 is part of Russia's General Staff Main Intelligence Directorate (GRU) military unit 26165. The GRU cyber-spy unit is targeting "dozens" of Western and NATO-country logistics providers, tech companies, and government orgs providing transport and foreign assistance to Ukraine, as warned by multiple government agencies in May.

The UK government has also warned that Russia's APT28 (also known as Fancy Bear or Forest Blizzard) has been deploying a new, previously unknown malware called Authentic Antics to harvest Microsoft email credentials and steal access to compromised accounts. The targeting of internet-connected cameras at border crossings by the GRU is part of an ongoing campaign that began in 2022, with the aim of tracking aid shipments.

In conclusion, APT28 continues to pose a significant cyber threat, with their recent development and deployment of advanced malware like Authentic Antics demonstrating their persistence and sophistication. It is crucial for network defenders to remain vigilant and take necessary protective measures to safeguard their systems against these threats.

  1. The sophistication of APT28, also known as Fancy Bear or Forest Blizzard, extends to the development of AI-generated commands in their LameHug malware, a threat that targets Ukrainian government officials.
  2. In the realm of general news and crime-and-justice, the UK government has sanctioned certain GRU units and individuals associated with APT28 for their malicious cyber activities.
  3. As part of Russia's General Staff Main Intelligence Directorate (GRU), APT28 is currently focusing on targeting Western and NATO-country logistics providers, tech companies, and government orgs providing transport and foreign assistance to Ukraine.
  4. In the context of security, politics, war-and-conflicts, and technology, it is essential for network defenders to remain vigilant, especially against APT28's recent deployment of advanced malware like Authentic Antics, to safeguard their systems.

Read also:

    Latest