{"id":14479,"date":"2025-07-21T20:48:11","date_gmt":"2025-07-21T20:48:11","guid":{"rendered":"https:\/\/newestek.com\/?p=14479"},"modified":"2025-07-21T20:48:11","modified_gmt":"2025-07-21T20:48:11","slug":"uk-blames-russias-infamous-fancy-bear-group-for-microsoft-cloud-hacks","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14479","title":{"rendered":"UK blames Russia\u2019s infamous \u2018Fancy Bear\u2019 group for Microsoft cloud hacks"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Recent cyberattacks deploying the potent <em>Authentic Antics<\/em> malware tool to target Microsoft cloud accounts were the handiwork of the notorious Russian Fancy Bear hacking group, the UK\u2019s National Cyber Security Centre (NCSC) has said.<\/p>\n<p>Authentic Antics was discovered after a cyberattack in 2023 which prompted an NCSC technical teardown of the malware that it published in May this year. The agency has now confirmed everybody\u2019s suspicions by formally attributing the platform to Russia\u2019s GRU 26165 military intelligence unit, better known as Fancy Bear or APT 28.<\/p>\n<p>However, where most reports on espionage tend to gloss over details, the NCSC\u2019s latest report offers an unusual level of background on the alleged Fancy Bear operations and the Russian operatives behind them.<\/p>\n<p>In total, 18 intelligence officers and commanders <a href=\"https:\/\/www.gov.uk\/government\/publications\/profile-gru-cyber-and-hybrid-threat-operations\/profile-gru-cyber-and-hybrid-threat-operations\" target=\"_blank\" rel=\"noreferrer noopener\">are named and financially sanctioned<\/a> by the NCSC across GRU Units 29155 and 74455, in addition to 26165 itself.<\/p>\n<h2 class=\"wp-block-heading\" id=\"a-campaign-to-destabilize-europe\">A \u2018campaign to destabilize Europe\u2019<\/h2>\n<p>Fancy Bear became a household name in the West for attacks such as the <a href=\"https:\/\/www.computerworld.com\/article\/1692399\/russian-hackers-allegedly-target-the-world-anti-doping-agency.html\" target=\"_blank\">2016 leak<\/a> of World Anti-Doping Agency (WADA) athlete data and <a href=\"https:\/\/www.computerworld.com\/article\/1681857\/russian-hackers-were-behind-dnc-breach-says-fidelis-cybersecurity.html\" target=\"_blank\">a similar data breach<\/a> at the US Democratic National Committee (DNC) during the presidential election in the same year.<\/p>\n<p>According to <a href=\"https:\/\/www.ncsc.gov.uk\/news\/uk-call-out-russian-military-intelligence-use-espionage-tool\" target=\"_blank\" rel=\"noreferrer noopener\">the NCSC<\/a>, the unit has conducted numerous attacks since then, including the targeting of the email accounts of Yulia and Sergei Skripal which assisted in their <a href=\"https:\/\/en.wikipedia.org\/wiki\/Poisoning_of_Sergei_and_Yulia_Skripal\" target=\"_blank\" rel=\"noreferrer noopener\">attempted murder<\/a> in 2018.<\/p>\n<p>\u201cGRU spies are running a campaign to destabilize Europe, undermine Ukraine\u2019s sovereignty, and threaten the safety of British citizens,\u201d commented UK Foreign Secretary David Lammy.<\/p>\n<p>\u201cThe Kremlin should be in no doubt: we see what they are trying to do in the shadows, and we won\u2019t tolerate it. That\u2019s why we\u2019re taking decisive action with sanctions against Russian spies. Protecting the UK from harm is fundamental to this government\u2019s Plan for Change,\u201d he added.<\/p>\n<h2 class=\"wp-block-heading\" id=\"how-dangerous-is-authentic-antics\">How dangerous is Authentic Antics?<\/h2>\n<p>Like all nation-state cyber tools, Authentic Antics is good at what it is designed to do, in this case steal Microsoft Office account credentials via fake login prompts or by nabbing OAuth 2.0 tokens.<\/p>\n<p>The malware employs a range of techniques to evade detection, including communicating using legitimate services and exfiltrating stolen data from hacked accounts by sending innocent-looking emails.<\/p>\n<p>\u201cThere is no traditional command and control implemented which may have increased the likelihood of it being detected,\u201d noted May\u2019s <a href=\"https:\/\/www.ncsc.gov.uk\/static-assets\/documents\/malware-analysis-reports\/authentic-antics\/ncsc-mar-authentic_antics.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">NCSC analysis<\/a>.<\/p>\n<p>The bad news, then, is that it\u2019s very hard to detect. The good news is, it\u2019s also likely only used against specific targets, which means it\u2019s unlikely to be widely deployed. However, there is still no harm in studying the indicators of compromise (IOCs) documented by the NCSC or applying <a href=\"https:\/\/www.picussecurity.com\/resource\/glossary\/what-is-a-yara-rule\" target=\"_blank\" rel=\"noreferrer noopener\">YARA rules<\/a> on endpoint protection platforms.<\/p>\n<h2 class=\"wp-block-heading\" id=\"outing-a-bear\">Outing a bear<\/h2>\n<p>Why make such a fuss about Fancy Bear, Russian GRU units, named operatives, and advanced hacking tools?<\/p>\n<p>Beyond the obvious need to warn the world about these activities, the revelations illustrate a form of information warfare that was pioneered by the US over the last decade, against China in particular. This tactic holds that one way to counter nation state espionage is to name names, sanctioning real people, which blows away the mystique that often surrounds some of these groups, especially when given inscrutable designations such as Fancy Bear or APT 28.<\/p>\n<p>It also puts the enemy on notice that its tools are known, requiring opponents to expend effort developing new ones.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Recent cyberattacks deploying the potent Authentic Antics malware tool to target Microsoft cloud accounts were the handiwork of the notorious Russian Fancy Bear hacking group, the UK\u2019s National Cyber Security Centre (NCSC) has said. Authentic Antics was discovered after a cyberattack in 2023 which prompted an NCSC technical teardown of the malware that it published in May this year. The agency has now confirmed everybody\u2019s&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=14479\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14479","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14479","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14479"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14479\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14479"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14479"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14479"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}