{"id":4061,"date":"2025-07-21T20:45:03","date_gmt":"2025-07-21T20:45:03","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4061"},"modified":"2025-07-21T20:45:03","modified_gmt":"2025-07-21T20:45:03","slug":"uk-blames-russias-infamous-fancy-bear-group-for-microsoft-cloud-hacks","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4061","title":{"rendered":"UK blames Russia\u2019s infamous \u2018Fancy Bear\u2019 group for Microsoft cloud hacks"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Recent cyberattacks deploying the potent <em>Authentic Antics<\/em> malware tool to target Microsoft cloud accounts were the handiwork of the notorious Russian Fancy Bear hacking group, the UK\u2019s National Cyber Security Centre (NCSC) has said.<\/p>\n<p>Authentic Antics was discovered after a cyberattack in 2023 which prompted an NCSC technical teardown of the malware that it published in May this year. The agency has now confirmed everybody\u2019s suspicions by formally attributing the platform to Russia\u2019s GRU 26165 military intelligence unit, better known as Fancy Bear or APT 28.<\/p>\n<p>However, where most reports on espionage tend to gloss over details, the NCSC\u2019s latest report offers an unusual level of background on the alleged Fancy Bear operations and the Russian operatives behind them.<\/p>\n<p>In total, 18 intelligence officers and commanders <a href=\"https:\/\/www.gov.uk\/government\/publications\/profile-gru-cyber-and-hybrid-threat-operations\/profile-gru-cyber-and-hybrid-threat-operations\" target=\"_blank\" rel=\"noopener\">are named and financially sanctioned<\/a> by the NCSC across GRU Units 29155 and 74455, in addition to 26165 itself.<\/p>\n<h2 class=\"wp-block-heading\">A \u2018campaign to destabilize Europe\u2019<\/h2>\n<p>Fancy Bear became a household name in the West for attacks such as the <a href=\"https:\/\/www.computerworld.com\/article\/1692399\/russian-hackers-allegedly-target-the-world-anti-doping-agency.html\" target=\"_blank\" rel=\"noopener\">2016 leak<\/a> of World Anti-Doping Agency (WADA) athlete data and <a href=\"https:\/\/www.computerworld.com\/article\/1681857\/russian-hackers-were-behind-dnc-breach-says-fidelis-cybersecurity.html\" target=\"_blank\" rel=\"noopener\">a similar data breach<\/a> at the US Democratic National Committee (DNC) during the presidential election in the same year.<\/p>\n<p>According to <a href=\"https:\/\/www.ncsc.gov.uk\/news\/uk-call-out-russian-military-intelligence-use-espionage-tool\" target=\"_blank\" rel=\"noopener\">the NCSC<\/a>, the unit has conducted numerous attacks since then, including the targeting of the email accounts of Yulia and Sergei Skripal which assisted in their <a href=\"https:\/\/en.wikipedia.org\/wiki\/Poisoning_of_Sergei_and_Yulia_Skripal\" target=\"_blank\" rel=\"noopener\">attempted murder<\/a> in 2018.<\/p>\n<p>\u201cGRU spies are running a campaign to destabilize Europe, undermine Ukraine\u2019s sovereignty, and threaten the safety of British citizens,\u201d commented UK Foreign Secretary David Lammy.<\/p>\n<p>\u201cThe Kremlin should be in no doubt: we see what they are trying to do in the shadows, and we won\u2019t tolerate it. That\u2019s why we\u2019re taking decisive action with sanctions against Russian spies. Protecting the UK from harm is fundamental to this government\u2019s Plan for Change,\u201d he added.<\/p>\n<h2 class=\"wp-block-heading\">How dangerous is Authentic Antics?<\/h2>\n<p>Like all nation-state cyber tools, Authentic Antics is good at what it is designed to do, in this case steal Microsoft Office account credentials via fake login prompts or by nabbing OAuth 2.0 tokens.<\/p>\n<p>The malware employs a range of techniques to evade detection, including communicating using legitimate services and exfiltrating stolen data from hacked accounts by sending innocent-looking emails.<\/p>\n<p>\u201cThere is no traditional command and control implemented which may have increased the likelihood of it being detected,\u201d noted May\u2019s <a href=\"https:\/\/www.ncsc.gov.uk\/static-assets\/documents\/malware-analysis-reports\/authentic-antics\/ncsc-mar-authentic_antics.pdf\" target=\"_blank\" rel=\"noopener\">NCSC analysis<\/a>.<\/p>\n<p>The bad news, then, is that it\u2019s very hard to detect. The good news is, it\u2019s also likely only used against specific targets, which means it\u2019s unlikely to be widely deployed. However, there is still no harm in studying the indicators of compromise (IOCs) documented by the NCSC or applying <a href=\"https:\/\/www.picussecurity.com\/resource\/glossary\/what-is-a-yara-rule\" target=\"_blank\" rel=\"noopener\">YARA rules<\/a> on endpoint protection platforms.<\/p>\n<h2 class=\"wp-block-heading\">Outing a bear<\/h2>\n<p>Why make such a fuss about Fancy Bear, Russian GRU units, named operatives, and advanced hacking tools?<\/p>\n<p>Beyond the obvious need to warn the world about these activities, the revelations illustrate a form of information warfare that was pioneered by the US over the last decade, against China in particular. This tactic holds that one way to counter nation state espionage is to name names, sanctioning real people, which blows away the mystique that often surrounds some of these groups, especially when given inscrutable designations such as Fancy Bear or APT 28.<\/p>\n<p>It also puts the enemy on notice that its tools are known, requiring opponents to expend effort developing new ones.<\/p>\n<p>More on Fancy Bear:<\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/4025139\/novel-malware-from-russias-apt28-prompts-llms-to-create-malicious-windows-commands.html\">Novel malware from Russia\u2019s APT28 prompts LLMs to create malicious Windows commands<\/a><\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/3975346\/russian-apt28-hackers-have-redoubled-efforts-during-ukraine-war-says-french-security-agency.html\">Russian APT28 hackers have redoubled efforts during Ukraine war, says French security agency<\/a><\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/570739\/the-10-most-dangerous-cyber-threat-actors.html\">The 10 most dangerous cyber threat actors<br \/><\/a><\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/3975346\/russian-apt28-hackers-have-redoubled-efforts-during-ukraine-war-says-french-security-agency.html\"><br \/><\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Recent cyberattacks deploying the potent Authentic Antics malware tool to target Microsoft cloud accounts were the handiwork of the notorious Russian Fancy Bear hacking group, the UK\u2019s National Cyber Security Centre (NCSC) has said. Authentic Antics was discovered after a cyberattack in 2023 which prompted an NCSC technical teardown of the malware that it published [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":4043,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4061","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4061"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4061"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4061\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4043"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4061"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4061"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4061"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}