UK, NATO accuse Russia’s GRU over malware created to ‘destablise’ Europe

WASHINGTON — The British government and NATO today publicly accused the Russian military intelligence service GRU of deploying malicious malware targeting NATO allies in what the UK said was in “support of wider Russian geopolitical and military objectives.”

“GRU spies are running a campaign to destabilise Europe, undermine Ukraine’s sovereignty and threaten the safety of British citizens,” David Lammy, Britain’s foreign secretary, said in a statement. “[Russian President Vladimir] Putin’s hybrid threats and aggression will never break our resolve. The UK and our Allies support for Ukraine and Europe’s security is ironclad.”

The UK’s National Cyber Security Centre (NCSC) said today it was revealing that the cyber threat group APT 28, which the UK says is “part of Russia’s GRU 85th Main Special Service Centre,” is behind “sophisticated malware” known as Authentic Antics.

The malware targets Microsoft Outlook email accounts, steals user’s login details and enables long-term access to email accounts, according to the NCSC. “The malware also exfiltrates victims’ data by sending emails from the victim’s account to an actor-controlled email address without the emails showing in the ‘sent’ folder,” the NCSC said. (European entities, including the Czech Republic, said in May that APT 28 had targeted their systems through Microsoft Outlook.)

As a result, the UK government said today it has sanctioned three GRU units and 18 Russian individuals for “malicious hybrid operations.”

In tandem with the NCSC’s statement, NATO published a condemnation of what it said was Russia’s “malicious cyber activities” that have targeted critical infrastructure and military organizations across Europe and cyber entities across the continent and in the US.

“These attributions and the continuous targeting of our critical infrastructure, with the harmful impacts caused across several sectors, illustrate the extent to which cyber and wider hybrid threats have become important tools in Russia’s ongoing campaign to destabilise NATO Allies and in Russia’s brutal and unprovoked war of aggression against Ukraine,” NATO said.

Neither NATO nor NCSC responded to a request for additional comment by the time of publication.

Threat group APT28, which is also known as Fancy Bear, Forest Blizzard, Sednit, Sofacy, and UAC-0001, has been around since at least 2008, according to cybersecurity company CrowdStrike. In addition to deploying Authentic Antics, the group has used known tactics to target IT and defense firms in the US and NATO countries, aiming to disrupt aid to Ukraine, according to a May advisory from US cyber agencies. 

Fancy Bear was also accused of being one of two Russian-backed hacking groups that hacked materials in the lead up to the 2016 US presidential election.