Full Report
Russian hackers bypass multi-factor authentication and access Gmail accounts by leveraging app-specific passwords in advanced social engineering attacks that impersonate U.S. Department of State officials. [...]
Analysis Summary
# Threat Actor: UNC6293
## Attribution & Identity
The threat actor is identified as **UNC6293**, attributed by researchers to **Russian hackers**. No other specific group associations were detailed beyond the general "Russian hackers" context provided in the headline.
## Activity Summary
UNC6293 conducted targeted spear-phishing campaigns from at least April through the beginning of June. The primary goal of these campaigns was to steal credentials and bypass Multi-Factor Authentication (MFA) protections on Gmail accounts, granting the actor full access to compromised accounts. Two distinct campaigns were observed:
1. A campaign using lures related to the **U.S. Department of State**.
2. A campaign using lures associated with **Ukraine and Microsoft**.
## Tactics, Techniques & Procedures
The primary technique leveraged was sophisticated social engineering combined with credential theft targeting MFA mechanisms:
- Spearphishing leveraging fake identities and deceptive materials.
- Instructions provided to victims for creating and sharing **app-specific passwords** for Gmail.
- Use of residential proxies and VPS infrastructure to mask login locations.
- **MITRE ATT&CK Tactic:** Initial Access, Defense Evasion.
## Targeting
- **Sectors:** Individuals closely involved in high-profile issues related to conflicts, litigation, or advocacy.
- **Geography:** Not explicitly stated, but the nature of the lures (US Dept of State, Ukraine) suggests international targeting relevant to geopolitical conflicts.
- **Victims:** Individuals with high-value Gmail accounts, including academics and critics of Russia.
## Tools & Infrastructure
- **Malware families used:** None specifically named, but the technique relies on social engineering to obtain legitimate access tokens (app passwords).
- **Infrastructure (C2, domains, IPs):**
- Residential Proxies: `91.190.191[.]117`
- Virtual Private Servers (VPS).
## Implications
UNC6293 demonstrates a high degree of sophistication in social engineering, specifically targeting a weakness in current Google account security for high-value targets—the use and phishing instruction of app-specific passwords, which effectively bypass standard MFA challenges for certain applications. This suggests an ongoing, focused effort to gain intelligence or compromise key personnel involved in sensitive areas.
## Mitigations
- Users are advised to enroll in Google's **Advanced Protection Program**, as this program prevents the creation or use of app-specific passwords and enforces stricter security measures.
- General security hygiene, awareness regarding sophisticated spearphishing related to conflicts/litigation, and vigilance against requests to generate or share app-specific passwords.