Full Report
They weren’t in any hurry, according to Citizen Lab, and used an interesting attack vector. Google Threat Intelligence Group also provided details on the attacks. The post Unusually patient suspected Russian hackers pose as State Department in ‘sophisticated’ attacks on researchers appeared first on CyberScoop.
Analysis Summary
# Threat Actor: UNC6293 (Suspected State-Sponsored Actor)
## Attribution & Identity
The attackers are suspected to be working on behalf of the Russian government. Google Threat Intelligence Group (GTIG) has dubbed the group **UNC6293** and assesses they are potentially connected to a unit tied to **Russia’s Foreign Intelligence Service (SVR)**, known by aliases such as **APT29** or **ICECAP**.
## Activity Summary
UNC6293 engaged in a highly sophisticated, patient social engineering campaign targeting prominent researcher Keir Giles (senior consulting fellow at Chatham House). The campaign involved an elaborate, "slow-roll" deception lasting weeks. The ultimate goal was the compromise of Giles' Google accounts using a novel technique involving App-Specific Passwords (ASPs). The campaign utilized convincing English communication, realistic context (solicitation email appearing to be from a state.gov address), and delivered pressure only subtly, avoiding typical "hacker red flags." This specific ASP-based compromise method has also been seen in other slow-roll attacks against academics and critics of Russia since April.
## Tactics, Techniques & Procedures
- Highly credible, patient social engineering spanning weeks.
- Impersonation utilizing a domain name that appeared realistic and avoiding easily detectable errors.
- Exploitation of knowledge about the target environment (e.g., awareness that the State Department email server accepts all messages without bouncebacks).
- Use of potentially large language models to refine communication quality.
- **Novel Method:** Technical exploitation involved tricking the victim into creating and sharing a screenshot of an **App-Specific Password (ASP)** to gain access to Google accounts that utilized MFA.
- The group exhibited an understanding of standard security expectations, deliberately behaving in ways contrary to typical, rushed hacker activity.
## Targeting
- Sectors: Academics and critics of the Russian government. General targeting patterns for associated groups (APT29) typically include diplomatic organizations and NGOs.
- Geography: Targeting individuals interested in or critical of Russia. The communication was timed during East Coast business hours.
- Victims: Prominent researcher and Russian military expert **Keir Giles**.
## Tools & Infrastructure
- Malware families used: Not explicitly detailed, but the attack relied on technical exploitation via the victim's actions.
- Infrastructure (C2, domains, IPs): A "realistic domain name" was created for redirection. The initiation came via a solicitation email seemingly from a *state.gov* address.
## Implications
This targeting demonstrates a highly patient and sophisticated state-sponsored adversary adapting to modern security standards (like MFA) by weaponizing legitimate secondary access mechanisms (ASPs). The detailed reconnaissance and slow-burn approach were designed to bypass current "spidey sense" indicators of phishing activity, suggesting a shift in tradecraft against high-value individuals who are aware of classic phishing tactics.
## Mitigations
- **Enable Google's Advanced Protection Program (APP)**, which specifically forbids the use of App-Specific Passwords.
- Users should exercise extreme caution when prompted to generate or share credentials, including ASPs.
- Security tools/vendors should improve detection for the creation or use of ASPs under suspicious circumstances.
- Organizations should educate users that social engineering attacks can be extremely patient and mimic legitimate, slow-paced correspondence perfectly.