Full Report
They weren’t in any hurry, according to Citizen Lab, and used an interesting attack vector. Google Threat Intelligence Group also provided details on the attacks. The post Unusually patient suspected Russian hackers pose as State Department in ‘sophisticated’ attacks on researchers appeared first on CyberScoop.
Analysis Summary
# Threat Actor: UNC6293
## Attribution & Identity
Suspected to be working on behalf of the Russian government. Google's Threat Intelligence Group (GTIG) assessment links them potentially to a unit tied to Russia’s Foreign Intelligence Service, known by names such as **APT29** or **Cozy Bear** (or ICECAP).
## Activity Summary
The actor executed a highly sophisticated social engineering attack targeting researcher and Russian military expert **Keir Giles**, a senior consulting fellow for the Russia and Eurasia program at Chatham House. The campaign involved:
* Sending a convincing solicitation email purportedly from a state.gov address for a consultation, scheduled during East Coast business hours.
* Using a realistic, well-constructed domain name.
* Operating with extreme patience, unfolding deception over a period of weeks without obvious technical errors.
* The goal was to gain access to Giles' Google accounts.
* GTIG observed other slow-roll, ASP-based attacks against academics and Russia critics from April through the current month.
## Tactics, Techniques & Procedures
- Highly sophisticated social engineering, characterized by patience and convincing English communications.
- Impersonation, specifically mimicking US State Department communication channels by exploiting the knowledge that the State Department's email server accepts all messages without sending bounces for non-existent addresses.
- **Novel MFA Bypass Method:** The final technical step involved convincing the target to create and share a screenshot of an **App-Specific Password (ASP)**, which granted the attackers access to Google accounts that utilized MFA.
- Use of sophisticated, deception-aided social engineering potentially aided by Large Language Models (LLMs).
## Targeting
- **Sectors:** Academics and individuals who are known critics of Russia.
- **Geography:** Targeting individuals based in regions relevant to Russian foreign policy commentary (e.g., Keir Giles).
- **Victims:** Specifically mentioned targeting researcher Keir Giles. GTIG notes they have seen similar attacks against academics and Russia critics.
## Tools & Infrastructure
- **Malware families used:** Not explicitly detailed, focusing primarily on account takeover via social engineering.
- **Infrastructure (C2, domains, IPs):** Used a realistic domain name to direct the victim. Further details on broader infrastructure are not provided in this excerpt.
## Implications
This group demonstrates a significant shift in tradecraft, moving past basic password harvesting to exploit security conveniences like App-Specific Passwords (ASPs) to bypass robust multi-factor authentication. Their extreme patience and deliberate construction of deceptions make them difficult to detect using standard security awareness training. This low-and-slow approach is noted as being too time-consuming for widespread use, suggesting the targets are highly valuable individuals.
## Mitigations
- Users highly susceptible to being hacked (e.g., high-profile critics, journalists) should enroll in enhanced security programs like Google’s **Advanced Protection Program**, which explicitly forbids the use of ASPs.
- Be highly skeptical of requests involving the creation or sharing of App-Specific Passwords, even if the preceding social engineering feels authentic.
- Security vendors should prioritize alerts and education surrounding the legitimate, but exploitable, use case of ASPs in credential harvesting.