Full Report
Keir Giles, a prominent expert on Russia, was targeted with a new form of social-engineering attack that leverages App-Specific Passwords. Google links the operation to UNC6293, a Russian state-backed group.
Analysis Summary
# Threat Actor: UNC6293
## Attribution & Identity
* **Attribution:** Russian state-backed group identified by Google Threat Intelligence Group (GTIG).
* **Association:** Linked with low confidence to **APT29**, which is attributed to Russia’s Foreign Intelligence Service (SVR).
* **Aliases:** UNC6293.
## Activity Summary
The actor executed a sophisticated and personalized novel social engineering attack against **Keir Giles**, a prominent expert on Russian information operations and a senior associate at Chatham House. The attack deceived Mr. Giles into creating and sending the attacker **App-Specific Passwords (ASPs)** for his accounts, successfully bypassing Multi-Factor Authentication (MFA). The compromise attempt was ultimately detected and blocked by Google.
## Tactics, Techniques & Procedures
* Social Engineering: Used highly personalized and plausible scenarios (e.g., outreach appearing as a seemingly routine consultation invitation from a purported U.S. State Department official, "Claudie S. Weber").
* MFA Bypass: Exploited the necessity for App-Specific Passwords (ASPs) in certain applications, convincing the target to generate and share these codes, thereby bypassing standard MFA protections.
* Deception: Took extensive measures to avoid arousing the target's suspicion throughout the interaction.
* Platform Cross-Pollination (Implied context based on general trends described, though the specific attack focused on email/ASP generation which is typically platform-specific): The broader context suggests a trend of splitting attack elements across different ecosystems.
## Targeting
* Sectors: Academia/Policy Experts critical of Russia (implied, based on the victim's profile).
* Geography: Not explicitly stated, but the victim is based in the UK (Chatham House). The actor is Russian state-backed.
* Victims: **Keir Giles** (academic expert on Russian information operations and Chatham House senior associate).
## Tools & Infrastructure
* Malware Families Used: None specified in the context of this particular ASP attack.
* Infrastructure (C2, domains, IPs): Not detailed, but the initial contact utilized an email purporting to come from a U.S. State Department official. There are no defanged URLs or IPs provided for this specific incident.
## Implications
The observed use of sophisticated social engineering targeting App-Specific Passwords (ASPs) represents a highly creative and effective MFA-bypass technique, especially against targets who are security-aware. This method works around increasingly robust MFA defenses by targeting legacy/alternate access flows. Given the success in fooling a prominent analyst, this *novel social engineering* tactic is expected to be leveraged against other high-value targets in the future, particularly those using personal Gmail accounts where ASP generation remains possible.
## Mitigations
* Disable ASPs: Review user accounts and immediately disable App-Specific Passwords unless they are absolutely required for specific, necessary use cases.
* User Education: Enhance security awareness programs to specifically educate users about the existence and security implications of App-Specific Passwords (ASPs), including their use on personal accounts.
* Provider Recommendations (for Google/others): Implement additional warning text or interstitial screens on the "App passwords" generation page to alert users to the possibility of targeted social engineering attacks exploiting this feature.