London, Jul 18 (PTI) The UK on Friday imposed sanctions against Russian spies and hackers for allegedly conducting a sustained campaign of malicious cyber activity over many years across Europe, including in the UK.

The latest set of measures unveiled by the UK’s Foreign, Commonwealth and Development Office (FCDO) target three units of the Russian military intelligence agency GRU and 18 military intelligence officers.

The British government said that GRU routinely uses cyber and information operations to sow chaos, division and disorder in Ukraine and across the world, with “devastating real-world consequences”.

“GRU spies are running a campaign to destabilise Europe, undermine Ukraine’s sovereignty and threaten the safety of British citizens,” said UK Foreign Secretary David Lammy.

“The Kremlin should be in no doubt: we see what they are trying to do in the shadows and we won’t tolerate it. That’s why we’re taking decisive action with sanctions against Russian spies… [US President] Putin’s hybrid threats and aggression will never break our resolve. The UK and our Allies support for Ukraine and Europe’s security is ironclad,” he said.

Russia’s Unit 26165, which was sanctioned on Friday, is said to have conducted online reconnaissance to help target missile strikes against Mariupol in Ukraine in 2022 – including the strike that destroyed the Mariupol Theatre where hundreds of civilians, including children, were murdered.

The GRU military intelligence officers sanctioned are said to be responsible for historically targeting Yulia Skripal’s device with malicious malware known as X-Agent – five years before GRU military intelligence officers’ failed attempt to murder former Russian spy Sergei Skripal and his daughter Yulia with the deadly Novichok nerve agent in Salisbury.

The FCDO said that in the UK, Russia has targeted media outlets, telecoms providers, political and democratic institutions, and energy infrastructure. The United Kingdom and our international allies are watching Russia and are countering their attacks both publicly and behind the scenes.

The ministry has flagged hybrid threats as cyber-attacks involving hacking government systems or stealing trade secrets; disinformation or spreading false or misleading information online; sabotage or damaging infrastructure or supply chains; and political interference or influencing elections or public opinion.

“The UK government is committed to accelerating its efforts to counter hybrid threats at home, protecting the UK’s national security – a key foundation of the Plan for Change – and abroad, working in collaboration with a growing international coalition including all 32 NATO Allies, the EU and its member states, and our partners in the FBI,” the FCDO said.

“The Kremlin has also used cyber operations in support of Putin’s illegal war – including targeting critical infrastructure like Viasat satellite communications. Some of these attacks were conducted on the eve of the full-scale invasion in 2022 with the express purpose of degrading Ukraine’s ability to defend itself,” it said.

The UK accused Russia of “insidious activity” that stretches far beyond Europe. In addition to the GRU Units and officers, the UK government also sanctioned three leaders of “African Initiative”, a social media content mill established and funded by Russia and employing Russian intelligence officers to conduct information operations in West Africa.

This includes reckless attempts to undermine lifesaving global health initiatives in the region by pushing baseless conspiracy theories to further the Kremlin’s political agenda, the FCDO said.

“GRU spies are running a campaign to destabilise Europe, undermine Ukraine’s sovereignty and threaten the safety of British citizens,” Foreign Secretary David Lammy said in a statement

He added: “Putin’s hybrid threats and aggression will never break our resolve.”

The Foreign Office said the sanctions targeted three GRU units and the 18 individual intelligence officers for a “sustained campaign of malicious cyber activity over many years, including in the UK”.

“The GRU routinely uses cyber and information operations to sow chaos, division and disorder in Ukraine and across the world with devastating real-world consequences,” it said in a statement.

Some of those sanctioned included GRU officers who had targeted Yulia Skripal, daughter of former Russian double agent Sergei Skripal, with malicious malware.

She was targeted five years before a failed poison attack on her father in the southwestern UK city of Salisbury in March 2018.

Other cyber attacks had also involved targets on UK soil, it said.

“In the UK, Russia has targeted media outlets, telecoms providers, political and democratic institutions, and energy infrastructure,” the statement added.

The Foreign Office said the sanctions against one GRU unit punished online reconnaissance to help target missile strikes on the southern Ukrainian city of Mariupol, including a deadly attack on a theatre where civilians were hiding.

NATO said in a statement it recognised that countries including the UK, Estonia, France and the United States had recently “attributed malicious cyber activity” targeting the alliance’s allies and Ukraine to Russian intelligence.

“These attributions and the continuous targeting of our critical infrastructure, with the harmful impacts caused across several sectors, illustrate the extent to which cyber and wider hybrid threats have become important tools in Russia’s ongoing campaign to destabilise NATO Allies and in Russia’s brutal and unprovoked war of aggression against Ukraine,” it said.

“We call on Russia to stop its destabilising cyber and hybrid activities,” it added.

READ MORE

Dozens of Russian spies have been sanctioned by the government – including those responsible for targeting Yulia Skripal five years before her attempted murder in Salisbury.

The Foreign Office has announced that three units of the Russian military intelligence agency (GRU) have been hit with sanctions, alongside 18 military intelligence officers.

Politics latest: Diane Abbott suspended from Labour

GRU officers attempted to murder Yulia Skipal and her father Sergei using the deadly Novichok nerve agent in Salisbury.

The 18 military intelligence officers have been targeted because of a sustained campaign of malicious cyber activity over many years, including in the UK, the Foreign Office said.

Image: Yevgeniy Mikhaylovich SEREBRIAKOV. Pic: FBI

The government also accused the GRU of using cyber and information operations to “sow chaos, division and disorder in Ukraine and across the world”.

Get Sky News on WhatsApp Follow our channel and never miss an update Tap here to follow

One of the groups sanctioned, Unit 26165, conducted online reconnaissance to help target missile strikes against Mariupol, including the bombing of Mariupol Theatre where hundreds of civilians, including children, were murdered.

Image: ALEKSEY VIKTOROVICH LUKASHEV Pic – FBI

Other military officers who have been sanctioned previously targeted Yulia Skripal’s mobile phone with malicious malware known as X-Agent.

The Skripals had moved to the UK after Sergei Skripal became a double agent, secretly working for the UK. He was tried for high treason and imprisoned in Russia – and later exchanged in a spy swap.

Read more:

Will Trump’s shift in tone force Russia to the negotiating table?

‘Betrayed’ Afghan interpreter says family ‘waiting for death’

But five years after Yulia’s phone was targeted, the pair were poisoned with the nerve agent, Novichok, in Salisbury. Russia has always denied being involved in the chemical attack.

Foreign Secretary David Lammy said: “GRU spies are running a campaign to destabilise Europe, undermine Ukraine’s sovereignty and threaten the safety of British citizens,” Foreign Secretary David Lammy said.

“The Kremlin should be in no doubt: we see what they are trying to do in the shadows and we won’t tolerate it.”

He said the UK was taking “decisive action” with the sanctions against Russian spies.

“Putin’s hybrid threats and aggression will never break our resolve. The UK and our allies’ support for Ukraine and Europe’s security is ironclad.”

Those sanctioned today include:

• Aleksandr Vladimirovich Osadchuk

Image: Aleksandr Vladimirovich OSADCHUK

• Yevgeniy Mikhaylovich Serbriakov

Image: Yevgeniy Mikhaylovich SEREBRIAKOV. Pic: FBI

• Anatoliy Sergeyvich Kovalev

Image: Anatoliy Sergeyvich KOVALEV

• Artem Valeryvich Ochichenko

Image: ARTEM VALERYEVICH OCHICHENKO. Pic: FBI

• The 161st Specialist Training Centre (TsPS) (Unit 29155) of the GRU

• Vladislav Yevgenyevich Borovkov

Image: VLADISLAV YEVGENYEVICH BOROVKOV

• Nikolay Aleksandrovich Korchagin

Image: NIKOLAY ALEKSANDROVICH KORCHAGIN. Pic: FBI

• Yuriy Federovich Denisov

Image: YURIY FEDOROVICH DENISOV. Pic: FBI

• Vitaly Aleksandrovich Shevchenko

• Ivan Sergeyevich Yermakov

Image: Ivan Sergeyevich Yermakov. Pic: FBI/Reuters

• Aleksey Viktorovich Lukashev

Image: ALEKSEY VIKTOROVICH LUKASHEV Pic – FBI

• Sergey Sergeyevich Vasyuk

• Andrey Eduardovich Baranov

• Aleksey Sergeyevich Morenets

Image: ALEKSEI SERGEYEVICH MORENETS. Pic: FBI

• Sergey Aleksandrovich Morgachev

Image: SERGEY ALEKSANDROVICH MORGACHEV

• Artem Adreyevich Malyshev

Image: ARTEM ANDREYEVICH MALYSHEV Pic: FBI

• Yuriy Leonidovich Shikolenko

• Victor Borisovich Netyksho

• Dmitriy Aleksandrovich Mikhaylov

• African Initiative

• Artyom Sergeevich Kureyev

Image: Artyom Sergeevich KUREYEV

• Anna Sergeevna Zamaraeva

• Victor Aleksandrovich Lukovenko

The UK’s National Cyber Security Centre (NCSC) has issued a formal notice attributing a series of hostile cyber attacks using a variety of malware dubbed Authentic Antics to Russian-state operated advanced persistent threat (APT) group Fancy Bear.

Authentic Antics is designed to steal login credentials and tokens for its victims email accounts, allowing Russian cyber spies to establish long-term access to their surveillance targets.

Fancy Bear, which goes by APT28 in some threat matrices, is operated as part of the 85th Main Special Service Centre, Military Unit 26165, and ultimately answers to the GRU, a successor intelligence agency to the KGB of Cold War legend.

“The use of Authentic Antics malware demonstrates the persistence and sophistication of the cyber threat posed by Russia’s GRU,” said NCSC operations director Paul Chichester.

“NCSC investigations of GRU activities over many years show that network defenders should not take this threat for granted and that monitoring and protective action is essential for defending systems.

“We will continue to call out Russian malicious cyber activity and strongly encourage network defenders to follow advice available on the NCSC website,” said Chichester.

Working with NCC Group, which provided samples of Authentic Antics, the NCSC’s experts have conducted a lengthy analysis of the malware – this can be read in full here – which blends in with everyday, legitimate activity to enable Fancy Bear to maintain persistent endpoint access to Microsoft cloud accounts.

The malware has been widely used since about 2023, and runs within Microsoft Outlook processes where it displays malicious login prompts to its target in order to get them to enter their credentials, which are then intercepted along with OAuth 2.0 authentication tokens for various applications, likely including Exchange Online, SharePoint and OneDrive.

The NCSC said it had been cleverly designed to exploit growing familiarity among end-users with genuine Microsoft authentication prompts, including generating prompts from within Outlook processes, and ensuring they do not display too frequently.

Authentic Antics does not communicate with any command and control (C2) infrastructure and cannot receive additional tasking. It talks only to legitimate services, meaning that when it is active it is much harder to pick out – for example it exfiltrates its victims’ data by sending emails from the compromised account to an email address controlled by Fancy Bear – these sent emails do not show up in the victim’s sent items folder.

The agency said that “significant thought” had gone into Authentic Antics’ design to ensure it blends in with normal activity. Among other things, its presence on disk is limited, it stores data in Outlook-specific registry locations, and its codebase includes genuine Microsoft authentication library code as an obfuscation method.

“It is clear the intention of the malware is to gain persistent access to victim email accounts. This highlights the benefit of monitoring your tenant for suspicious logins,” said the NCSC’s analysts.

UK sanctions Russian spies for malicious activity

2 hours ago Share Save Hafsa Khalil BBC News Frank Gardner Security Correspondent Share Save

PA Media The UK said it sanctioned intelligence officers who placed spyware on the phone of Yulia Skripal, who was poisoned in Salisbury

A number of Russian spies have been sanctioned for conducting a “sustained campaign of malicious cyber activity” including in the UK, the Foreign Office has said. Three military intelligence units from Russia’s GRU espionage agency and 18 officers have had sanctions placed on them for allegedly “spreading chaos and disorder on [Russian President Vladimir] Putin’s orders”. UK Foreign Secretary David Lammy linked the activity to the UK’s continued support of Ukraine, and said GRU spies were “running a campaign to destabilise Europe”. Separately, the European Union placed its “strongest sanctions” yet on Russia, which Ukrainian President Volodymyr Zelensky called “essential and timely”.

The latest EU measures, announced on Friday, included a ban on transactions related to the Nord Stream natural gas pipeline and lowering a cap on the price at which Russian oil can be bought. The UK joined the move to lower the price cap, with Chancellor Rachel Reeves saying Europe was “turning the screw on the Kremlin’s war chest”. They come as European allies hope to ratchet up the pressure on Russia to bring the three-year-long war in Ukraine to an end. But former Russian President Dmitry Medvedev, a close ally of Putin, said his nation’s economy would survive the sanctions and that Moscow will continue striking Ukraine “with increasing force”. The EU sanctions are the 18th round of such measures since Russia’s full-scale invasion of Ukraine began in 2022. The aim is to undermine Moscow’s ability to finance its war on Ukraine – something Western sanctions have so far failed to achieve, as Russia has increased its oil exports to China and India and operates a so-called shadow fleet of oil tankers around the globe.

Getty Images David Lammy said Russian spies “are running a campaign to destabilise Europe”