The UK Government has formally accused Russian military intelligence of deploying a sophisticated cyber espionage tool targeting email accounts. The malware, named AUTHENTIC ANTICS,
has been used by the cyber threat group APT 28, which is linked to the GRU’s 85th Main Special Service Centre (Unit 26165).
The announcement, made by GCHQ’s National Cyber Security Centre (NCSC) on 18 July, follows a broader move by the UK to sanction three GRU units (26165, 29155, and 74455) and 18 Russian operatives involved in global cyber and disinformation campaigns supporting Russia’s geopolitical objectives.
How the malware works
AUTHENTIC ANTICS enables long-term, stealthy access to Microsoft cloud accounts by mimicking legitimate login prompts to steal user credentials and OAuth tokens. These tokens allow access to Microsoft services without repeatedly needing a password. The malware can also silently exfiltrate data by sending emails from compromised accounts without leaving traces in the “Sent” folder.
This tool was discovered after a 2023 cyber incident investigated by Microsoft and NCC Group, a NCSC-certified incident response provider.
APT 28 and GRU cyber operations
APT 28—also known publicly as Fancy Bear, Forest Blizzard, and Blue Delta—has a history of targeting Western logistics and tech companies. The UK has previously identified Unit 29155 with digital sabotage operations and Unit 74455 (Sandworm) with malware deployments such as Cyclops Blink and the 2018 attempted cyberattack on the Organisation for the Prohibition of Chemical Weapons.
Government response and strategic defence
The UK’s response includes a significant increase in defence spending—reaching 2.6% of GDP by 2027—as part of its Plan for Change and National Security Strategy 2025. The strategy emphasizes defending against hybrid threats, particularly from Russia, which is deemed the most acute state-based threat.
Official statements
Foreign Secretary, David Lammy said:
“GRU spies are running a campaign to destabilise Europe, undermine Ukraine’s sovereignty and threaten the safety of British citizens.
“The Kremlin should be in no doubt: we see what they are trying to do in the shadows and we won’t tolerate it. That’s why we’re taking decisive action with sanctions against Russian spies. Protecting the UK from harm is fundamental to this government’s Plan for Change.
“Putin’s hybrid threats and aggression will never break our resolve. The UK and our Allies support for Ukraine and Europe’s security is ironclad.”
Paul Chichester, NCSC Director of Operations said:
“The use of AUTHENTIC ANTICS malware demonstrates the persistence and sophistication of the cyber threat posed by Russia’s GRU.
“NCSC investigations of GRU activities over many years show that network defenders should not take this threat for granted and that monitoring and protective action is essential for defending systems.
“We will continue to call out Russian malicious cyber activity and strongly encourage network defenders to follow advice available on the NCSC website.”
The UK’s announcement is coordinated with international partners, reinforcing collective efforts to expose and counter malicious cyber activity.
For more information, including technical details of the malware, the NCSC has published a full report on its Malware Analysis Reports page. Photo by ational Counterintelligence and Security Center, Wikimedia commons.