Full Report
Threat actors with suspected ties to Russia have been observed taking advantage of a Google account feature called application specific passwords (or app passwords) as part of a novel social engineering tactic designed to gain access to victims' emails. Details of the highly targeted campaign were disclosed by Google Threat Intelligence Group (GTIG) and the Citizen Lab, stating the activity
Analysis Summary
# Threat Actor: UNC6293 (Likely APT29/Russian State-Sponsored)
## Attribution & Identity
**Attribution:** Suspected ties to Russia, linked to the Russian state-sponsored hacking group APT29.
**Aliases/Associated Groups:** APT29, BlueBravo, Cloaked Ursa, CozyLarch, Cozy Bear, ICECAP, Midnight Blizzard, and The Dukes.
**Internal Tracking:** Google Threat Intelligence Group (GTIG) tracks this cluster as UNC6293.
## Activity Summary
This description details a highly targeted phishing campaign observed from at least April through early June 2025. The activity specifically focused on impersonating the U.S. Department of State to gain persistent unauthorized access to victims' email accounts. The social engineering relied on extensive, measured rapport building over several weeks rather than relying on high-pressure tactics.
## Tactics, Techniques & Procedures
The core TTP leveraged is a novel social engineering tactic centered around Google's "application specific passwords" (ASPs) feature to bypass Two-Factor Authentication (2FA).
- **Social Engineering/Rapport Building:** Actor engages targets over several weeks with benign emails designed to establish contact before launching the main payload.
- **Impersonation:** Impersonates the U.S. Department of State via email.
- **Lures:** Initial emails were disguised as meeting invitations, featuring no less than four fictitious "@state.gov" email addresses in the CC line to lend an air of legitimacy (exploiting apparent non-bounce configuration on State Department servers).
- **2FA Bypass:** Victims are convinced to set up and share an Application Specific Password (a 16-digit passcode) under the pretext of needing to access a "fake Department of State cloud environment" for secure communications.
- **Persistence:** Once the ASP is shared, the attackers establish persistent access to the victim's mailbox.
## Targeting
**Sectors:** Academics and critics of Russia were the primary targets mentioned.
**Geography:** Not explicitly stated, but targeting US entities (impersonating the Dept. of State) and critics of Russia suggests international scope focused on entities perceived as adversaries.
**Victims:** Prominent academics and critics of Russia.
## Tools & Infrastructure
**Malware Families Used:** None explicitly named in the context provided, but the TTP focuses on leveraging legitimate account features (ASPs).
**Infrastructure (C2, domains, IPs):** The campaign utilized fictitious "@state.gov" email addresses in the CC line, exploiting the perceived legitimacy of these domains. No specific C2 infrastructure or IP addresses were detailed in the summary text.
## Implications
This campaign demonstrates a highly sophisticated and patient approach by APT29 to overcome modern security measures like 2FA by exploiting user trust and built-in application features (ASPs). The success relies on meticulously crafted social engineering that avoids common indicators of urgency, suggesting a long-term intelligence gathering motivation against high-value individuals critical of Russian policy.
## Mitigations
- **User Education:** Critical necessity for users, especially high-value targets, to understand the function and security implications of Application Specific Passwords (ASPs) and never share these codes.
- **Authentication Review:** Organizations utilizing Google Workspace should review current policies regarding ASP generation and enforce stronger MFA methods if available.
- **Social Engineering Awareness:** Improved awareness training focusing on low-urgency, long-term rapport-building spear-phishing attempts.
- **Infrastructure Verification:** Awareness that legitimate looking external domains in the CC line do not inherently guarantee authenticity, especially when coupled with requests for sensitive credentials.