- June 23, 2025
- Posted by: administrator
- Category: Google
Russian hackers bypass multi-factor authentication and access Gmail accounts by leveraging app-specific passwords in advanced social engineering attacks that impersonate U.S. Department of State officials.
The threat actor targeted well-known academics and critics of Russia in what is described as a “sophisticated and personalized novel social engineering attack” that did not rush the persons of interest into taking action.
Between April and early June, the hackers delivered meticulously developed phishing messages aimed at convincing recipients to create and share app-specific passwords that would provide access to their Gmail accounts.
An app-specific password is designed to allow third-party apps (e.g. an email client) that are considered less secure or older applications permission to access your Google Account if two-factor authentication (2FA) is active.
Security researchers at Google Threat Intelligence Group track the cyber actor as UNC6293. They believe they are state-sponsored and might be associated with APT29, a threat group under Russia’s Foreign Intelligence Service (SVR).
APT29 is tracked under multiple names (NobleBaron, Nobelium, Cozy Bear, CozyDuke, Midnight Blizzard) and has been operating since at least 2008.
Its targets include government networks, research institutes, and think tanks.
Slow-paced phishing
Academic research group The Citizen Lab investigated an incident from UNC6293’s spearphishing campaign that targeted Russian information operations expert Keir Giles.
The attack starts with an email signed by Claudie S. Weber, allegedly from the U.S. State Department, inviting Giles to “a private online conversation.”
“We believe that the attacker is aware that the State Department’s email server is apparently configured to accept all messages and does not emit a ‘bounce’ response even when the address does not exist” – The Citizen Lab
After several email exchanges where Giles expressed interest but disclosed that they might not be available on the indicated day, the threat actor invited him to join the State Department’s “MS DoS Guest Tenant” platform, “which would enable you to attend future meetings with ease, regardless when they take place.”
During this period, they identified two campaigns, one relying on themes related to the U.S. Department of State and another that used lures associated with Ukraine and Microsoft.
Both campaigns included residential proxies (91.190.191[.]117) and virtual private servers (VPS) servers in the infrastructure, allowing the threat actor to stay anonymous when logging into compromised email accounts.
The two social engineering campaigns observed by The Citizen Lab and GTIG were skilfully crafted and relied on multiple fake identities, accounts, and various materials designed to add to the deception.
Users targeted with advanced phishing tactics are typically individuals closely involved in high-profile issues related to conflicts, litigation, or advocacy.
To keep them safe from skilled attackers, Google recommends enrolling into its Advanced Protection Program, which elevates security measures on the account and does not allow creating an app-specific password, or log in without providing a certain passkey.
Note: This article is copyright by bleepingcomputer.com and we are using it for educational or Information purpose only