Full Report
A prominent expert on Russian information operations was targeted by a sophisticated spear phishing attack likely coming from Russian hackers
Analysis Summary
# Threat Actor: UNC6293 (Associated with APT29/SVR)
## Attribution & Identity
* **Identified as:** UNC6293, investigated by Google Threat Intelligence Group (GTIG) and Citizen Lab.
* **Known Aliases/Associations:** Assessed "with low confidence" to be associated with **APT29**, a cyber espionage group linked to Russia’s Foreign Intelligence Service (SVR).
## Activity Summary
The investigated attack involved a sophisticated spear-phishing campaign targeting Keir Giles, a British expert on Russian information operations and senior fellow at Chatham House.
* **Campaign Focus:** Luring the target into providing access credentials under the guise of official business.
* **Initial Lure:** An email dated May 22, 2025, from an apparent impersonator named ‘Claudie S. Weber,’ posing as a senior program advisor at the US Department of State (DoS), inviting Giles to a consultation.
* **Technique:** The attacker used plausible social engineering, including mimicking a common professional scenario and cc'ing four non-existent *@state.gov* addresses to increase credibility (exploiting the State Department's email server acceptance configuration).
* **Goal Execution:** Subsequent communication provided a fake PDF ("MS DoS Guest Tenant") instructing Giles to create an **app-specific password (ASP)** for a Google account to gain "access" to a secure government resource. In reality, the ASP provided the attacker persistent access to the target's MFA-protected account.
* **Historical Note:** GTIG identified another similar campaign starting in April 2025 involving a Ukrainian and Microsoft-themed ASP lure.
## Tactics, Techniques & Procedures
* **Social Engineering:** Highly sophisticated, unhurried pacing, and adaptability to target replies (e.g., non-pressuring follow-up when the initial meeting time failed).
* **Impersonation:** Posing as US State Department personnel, utilizing plausible invitations (consultation requests).
* **Credential Harvesting:** Specifically targeting the creation and acquisition of **App-Specific Passwords (ASPs)** to bypass Multi-Factor Authentication (MFA) on personal Google accounts (exploiting "Less Secure Apps" functionality).
* **Document Forgery:** Using PDFs visually reminiscent of legitimate State Department documents to frame the request.
* **LLM Utilization (Suspected):** Researchers assessed that the generic and evasive tone of the initial message suggested the potential use of a Large Language Model (LLM) for message crafting.
## Targeting
* **Sectors:** Think Tanks/Academic (specifically experts focused on Russian information operations).
* **Geography:** Targeting a UK-based expert (Keir Giles).
* **Victims:** Keir Giles (Chatham House).
## Tools & Infrastructure
* **Malware Families Used:** Not specified, but focused on utilizing built-in authentication methods for access.
* **Infrastructure (C2, domains, IPs):**
* Sender Email Used: claudie.s.weber[at]gmail.com
* Impersonated Emails (CC'd): WeberCS[at]state.gov (and four others, all *@state.gov* domains used for credibility).
## Implications
The campaign demonstrates the actor's willingness to invest significant time and complexity into highly contextualized, low-and-slow spear-phishing directed at high-value critics of Russian state influence. The active targeting of ASPs indicates an evolving technique focused on circumventing modern MFA controls on personal accounts which are often used in parallel with professional ones. The potential manipulation/release of exfiltrated data suggests the overarching objective remains espionage and potential future information operations.
## Mitigations
* **Avoid ASPs:** Do not use App-Specific Passwords (ASPs) on accounts enrolled in the Advanced Protection Program (APP), as APP does not allow their creation.
* **Review ASP Usage:** Revoke ASPs immediately when they are no longer needed.
* **Monitor Activity:** Regularly monitor account activity and security notifications, especially those sent by providers like Google when a new ASP is created.
* **Enhanced Security:** Individuals deemed high-risk for targeted attacks should implement advanced security measures, such as Google's Advanced Protection Program (APP).