UK attributes Microsoft 365 targeting campaign to Russian state hackers APT28

They're mapping the supply chain for Ukraine aid
Russian military intelligence targets logistics and border infrastructure to understand Western support flows into Ukraine.

In the long contest between open societies and those who would surveil them from the shadows, Britain has named a name and drawn a line. The UK's National Cyber Security Centre has formally attributed a malware campaign called Authentic Antics to APT28, a hacking collective operating under Russia's military intelligence directorate, the GRU, confirming what many suspected: that Western organizations supporting Ukraine have been systematically targeted since at least 2023. By sanctioning twenty-one GRU officers and units, London signals that cyber-espionage is no longer a matter for technical specialists alone, but a question of statecraft and consequence.

  • A malware strain disguised as Microsoft's own login screens has been quietly harvesting credentials and OAuth tokens from logistics firms, NATO governments, and tech companies — all linked to Ukraine aid supply chains.
  • The theft is designed to be invisible: stolen data exits through the victim's own email account, then the evidence is erased from the sent folder, leaving organizations unaware they have been compromised.
  • The campaign's targeting is surgical, not opportunistic — border-crossing cameras, cloud infrastructure providers, and military-aid logistics networks all appear on APT28's list, mapping the architecture of Western support for Ukraine.
  • Britain has responded by sanctioning three GRU units and eighteen individual officers, one of the most direct acts of attribution and consequence the UK has publicly announced against Russian cyber operations.
  • Security teams are now urged to treat suspicious authentication prompts as potential attack vectors, monitor outbound email for anomalies, and treat the NCSC's published signatures as an immediate defensive priority.

British cybersecurity officials have formally linked a sophisticated malware campaign to APT28 — the Russian state-sponsored group also known as Fancy Bear and Forest Blizzard, operating under the GRU — exposing a coordinated effort to infiltrate the email systems of Western organizations supporting Ukraine. The malware, called Authentic Antics, has been circulating since at least 2023 but was only now publicly attributed.

Authentic Antics works by impersonating Microsoft's login screens. Delivered likely through phishing or malicious Outlook add-ins, it uses environmental keying to activate only on intended targets, avoiding detection on other machines. When a user enters credentials into what appears to be a legitimate authentication window, the malware captures those details along with OAuth 2.0 tokens granting access to Exchange Online, SharePoint, and OneDrive. The stolen data is then exfiltrated through the victim's own email account — with sent messages deleted to erase the trail.

The targeting pattern reveals a strategic intelligence operation rather than opportunistic hacking. APT28 focused on logistics and transport companies, technology firms embedded in Microsoft's cloud ecosystem, NATO government agencies, and even internet-connected cameras at border crossings monitoring the flow of military aid into Ukraine — a map of the West's support infrastructure.

In response, the UK sanctioned three GRU units and eighteen individual officers, one of the most direct public attributions Britain has made against Russian cyber operations. For organizations in the crosshairs, the disclosure is an urgent call to reinforce email security, scrutinize authentication prompts, and monitor outbound traffic — using the NCSC's published technical signatures to detect Authentic Antics before it can take hold.

British cybersecurity officials have linked a sophisticated malware campaign directly to Russian state hackers, exposing a coordinated effort to infiltrate the email systems of Western organizations that support Ukraine. The UK National Cyber Security Centre released technical details this week about the malware, called Authentic Antics, which has been circulating since at least 2023 but only now attributed to APT28—a Russian state-sponsored group operating under the country's military intelligence directorate, the GRU. The group is also known by the nicknames Fancy Bear and Forest Blizzard, and has orchestrated some of the most visible cyber-espionage operations against Western targets over the past decade.

The malware works by impersonating Microsoft's login screens. Once installed on a target's computer—likely through phishing emails or malicious add-ins bundled with Outlook—it waits for the right moment to strike. The code is designed to activate only on specific machines, using what security researchers call environmental keying to avoid triggering on systems where it shouldn't run. When a user enters their credentials at what appears to be a legitimate Microsoft authentication window, the malware captures those details along with OAuth 2.0 tokens that grant access to cloud services like Exchange Online, SharePoint, and OneDrive. The stolen information is then quietly exfiltrated by sending it through the victim's own email account, with the evidence deleted from the sent folder to cover the tracks.

The targeting pattern reveals the campaign's strategic focus. APT28 has concentrated its efforts on logistics and transport companies, technology firms with deep access to Microsoft's cloud infrastructure, government agencies in NATO countries, and critical infrastructure like internet-connected cameras positioned at border crossings—systems used to monitor the flow of military aid into Ukraine. The breadth of targets suggests this is not opportunistic hacking but a coordinated intelligence operation designed to map supply chains, intercept communications, and gather intelligence on Western support for Ukraine's defense.

In response to these findings, the UK government has imposed sanctions against operatives believed responsible for the campaign. The action targeted three GRU units and eighteen individual officers, representing one of the more direct attributions and consequences the UK has announced in connection with Russian cyber operations. The sanctions signal that British officials view this campaign not as mere criminal activity but as state-directed espionage warranting diplomatic and economic consequences.

For organizations in the crosshairs—particularly those in logistics, technology, and government sectors—the disclosure carries an urgent message. The malware's reliance on fake login prompts means that employee awareness and multi-factor authentication become critical defenses. The use of the victim's own email infrastructure for data theft also underscores the importance of monitoring outbound email traffic for anomalies and maintaining detailed logs of authentication events. As the campaign continues to evolve, the technical details released by the NCSC provide defenders with the signatures and behavioral patterns needed to detect and block Authentic Antics before it can establish a foothold.

The malware uses environmental keying to activate only on specific machines, avoiding detection on security researchers' test systems
— UK NCSC technical analysis
La Conversación del Hearth Otra perspectiva de la historia
Inventor

Why does a Russian military intelligence unit care about logistics companies and border cameras? What's the actual value of that information?

Model

They're mapping the supply chain. If you know which transport companies move aid, which routes they use, which border crossings handle the traffic, you can identify vulnerabilities—places where shipments might be intercepted, delayed, or where Russian forces might position assets. It's not just espionage; it's operational intelligence.

Inventor

And the Microsoft 365 targeting—why is that the vector of choice here?

Model

Because everyone uses it. It's ubiquitous in government and corporate environments. If you compromise an Exchange account, you get access to years of email history, calendar invitations that reveal meetings and plans, shared documents. It's the nervous system of an organization.

Inventor

The malware deletes itself from the sent folder. That's careful tradecraft.

Model

Very careful. It suggests they've learned from past operations. They know defenders look at email logs. By cleaning up after themselves, they buy time before anyone notices the breach. Some organizations might never realize they were compromised.

Inventor

What does the environmental keying do exactly?

Model

It's a safety mechanism. The malware only activates on machines that match certain criteria—maybe a specific Windows version, or the presence of particular software. It prevents the malware from running on honeypots or security researchers' test systems, which would expose the operation prematurely.

Inventor

So the sanctions—do they actually stop this?

Model

Sanctions are a message, not a cure. They might make it harder for those individuals to move money or travel, but the operation itself continues. The real defense is technical: better email security, multi-factor authentication, training people to spot fake login prompts. The sanctions are acknowledgment that this is state action, not just crime.

Quieres la nota completa? Lee el original en TechRadar ↗
Contáctanos FAQ