Russia Deploys New Malware to Hack Email for Espionage
▼ Summary
– Russian military intelligence (GRU)-linked group APT28 has deployed new malware called “Authentic Antics” to spy on email accounts, according to the UK’s NCSC.
– The malware mimics legitimate Microsoft Outlook activity, intercepting login credentials and OAuth tokens to maintain persistent access to cloud accounts.
– Authentic Antics exfiltrates data by sending emails from victims’ accounts to attacker-controlled addresses without appearing in the sent folder.
– The NCSC warns that Russian cyber threats remain persistent and sophisticated, requiring continuous monitoring and protective actions.
– The UK government sanctioned three GRU units and 18 officers for global cyber operations, linking them to APT28’s activities.
Russian intelligence agencies have developed a stealthy new malware strain designed to infiltrate email accounts for espionage purposes, according to a recent warning from the UK’s National Cyber Security Centre. The malicious software, named “Authentic Antics,” represents a significant evolution in cyberattack techniques attributed to the GRU-linked hacking group APT28.
Security analysts discovered this sophisticated tool specifically targets Microsoft cloud accounts by mimicking legitimate Outlook activity. Unlike conventional malware, it avoids detection by operating without traditional command-and-control infrastructure. Instead, it periodically displays fake login prompts to harvest credentials and OAuth tokens, granting attackers persistent access to victims’ accounts.
One particularly concerning feature allows the malware to secretly forward emails from compromised accounts to attacker-controlled addresses while leaving no trace in the sent folder. This covert exfiltration method makes detection exceptionally difficult for both users and security systems.
Paul Chichester, NCSC Director of Operations, emphasized the seriousness of the threat: “This malware demonstrates the GRU’s continued investment in advanced cyber capabilities. Organizations must remain vigilant, as these attacks blend seamlessly with normal network activity.” The discovery followed a joint investigation by Microsoft and NCC Group, an NCSC-approved incident response provider.
The warning comes amid heightened cybersecurity tensions with Russia. Ukrainian authorities recently identified another potential APT28-linked malware called “LameHug,” targeting defense sector systems. Earlier this year, Western intelligence agencies also exposed Russian cyber operations against logistics and technology firms.
In response to these threats, the UK government imposed sanctions against three GRU units and 18 officers involved in global cyber operations. Foreign Secretary David Lammy stated: “We’re taking direct action against those conducting malicious cyber campaigns. The Kremlin should understand we will not ignore these shadowy attacks on international security.”
APT28, also known by aliases including Fancy Bear and Sednit, remains one of Russia’s most active cyber espionage groups. Their evolving tactics highlight the growing sophistication of state-sponsored digital threats, requiring constant adaptation from defenders. Security experts recommend enhanced monitoring of cloud environments and multi-factor authentication to mitigate such risks.
(Source: InfoSecurity)
