Full Report
Written by: Gabby Roncone, Wesley Shields In cooperation with external partners, Google Threat Intelligence Group (GTIG) observed a Russia state-sponsored cyber threat actor impersonating the U.S. Department of State. From at least April through early June 2025, this actor targeted prominent academics and critics of Russia, often using extensive rapport building and tailored lures to convince the target to set up application specific passwords (ASPs). Once the target shares the ASP passcode, the attackers establish persistent access to the victim’s mailbox. Two distinct campaigns are detailed in this post. This activity aligns with Citizen Lab’s recent research on social engineering attacks against ASPs, another useful resource for high risk users. GTIG tracks this activity as UNC6293, a likely Russia state-sponsored cyber actor we assess with low confidence is associated with APT29 / ICECAP. After establishing rapport, the attacker sent phishing lures disguised as meeting invitations, and added spoofed Department of State email addresses on the cc line of the initial outreach to increase the legitimacy of the contact attempt. The initial phishing email itself is not directly malicious, but encourages the victim to respond to set up a meeting. Figure 1: Keir Giles, a prominent British researcher on Russia, posted this screenshot of an email header with fake U.S. Department of State emails that was part of a UNC6293 campaign Targets who responded received an email with a benign PDF lure attached. The State Department themed lure is customized to the target and contains instructions to securely access a fake Department of State cloud environment. This included directing victims to go to https://account.google.com and create an Application Specific Password (ASP) or “app passwords.” ASPs are randomly generated 16-character passcodes that allow third-party applications to access your Google Account, intended for applications and devices that do not support features like 2-step verification (2SV). To use an ASP you must set it up and provide a name for the application. Figure 2: Benign PDF document with instructions In campaign one, the ASP name suggested in the lure PDF was “ms.state.gov” and in campaign two, we observed a Ukrainian and Microsoft themed ASP name. After creating the ASP, the attackers directed the target to send them the 16-character code. The attackers then set up a mail client to use the ASP, likely with the end goal of accessing and reading the victim’s email correspondence. This method also allows the attackers to have persistent access to accounts. Campaign Sender Theme ASP Name Attacker Infrastructure Used Campaign 1 State Department ms.state.gov 91.190.191.117 - Residential proxy Campaign 2 Unknown Ukrainian and Microsoft-themed ASP 91.190.191.117 - Residential proxy Attackers logged into victim accounts primarily using residential proxies and VPS servers, in some cases re-using infrastructure to access different victim or attacker accounts. As a result, we were able to connect the two distinct campaigns we observed to the same cluster. We have re-secured the Gmail accounts compromised by these campaigns. Mitigations GTIG is committed to our mission of understanding and countering advanced threats. We use the results of our research to ensure that Google's products are secure and to protect our users and enterprise customers. Users have complete control over their ASPs and may create or revoke them on demand. Google Workspace administrators also have options for restricting their use, or revoking ones created by their users. Upon creation, Google sends a notification to the corresponding account Gmail, recovery email address, and any device signed in with that Google account to ensure the user intended to enable this form of authentication. Figure 3: Google Account Help documentation on app passwords Google provides enhanced security resources such as the Advanced Protection Program (APP), intended for individuals at high risk of targeted attacks and exposure to other serious threats. Opting to use the APP prevents an account from creating an ASP due to the program’s heightened security requirements. We are committed to sharing our findings with the security community and with companies and individuals that may have been targeted by these activities, and we hope that improved understanding of tactics and techniques will enhance threat hunting capabilities and lead to stronger user protections across the industry. Lure PDF Document SHA256: 329fda9939930e504f47d30834d769b30ebeaced7d73f3c1aadd0e48320d6b39
Analysis Summary
# Threat Actor: UNC6293
## Attribution & Identity
* **Attribution:** Assessed with low confidence as a Russia state-sponsored cyber threat actor by Google Threat Intelligence Group (GTIG).
* **Aliases/Associations:** UNC6293. GTIG assesses with low confidence that it is associated with APT29 / ICECAP.
* **Impersonation:** Impersonating the U.S. Department of State.
## Activity Summary
* **Timeline:** Observed from at least April through early June 2025.
* **Campaigns:** Details two distinct campaigns utilizing extensive social engineering and rapport building to target prominent academics and critics of Russia.
* **Campaign 1:** Used a Department of State theme, suggesting an ASP name of "ms.state.gov".
* **Campaign 2:** Used an unknown sender theme, observed with a Ukrainian and Microsoft-themed ASP name.
* **Method:** The primary goal was to obtain Application Specific Passwords (ASPs) to gain persistent access to victim mailboxes.
## Tactics, Techniques & Procedures
* **Social Engineering:** Extensive rapport building to build trust with targets.
* **Phishing/Lures:** Sent initial phishing emails disguised as meeting invitations, often spoofing Department of State email addresses on the CC line to enhance legitimacy.
* **Document Lures:** Followed up initial contact with a benign PDF lure customized to the target, containing instructions to access a fake Department of State cloud environment.
* **Credential Theft (Specific):** Directed victims to create an Application Specific Password (ASP) and provide the 16-character passcode to the attacker.
* **Persistence:** Attackers set up a mail client using the compromised ASP to access and maintain persistent access to the victim's email.
* **MITRE ATT&CK Mapping (Inferred/Specific):** Not explicitly listed, but the activity heavily features Social Engineering and potentially Valid Accounts T1078.
## Targeting
* **Sectors:** Prominent academics and critics of Russia (implied targets involved in policy/geopolitical commentary).
* **Geography:** Not explicitly stated, but the targeting focuses on individuals critical of Russia.
* **Victims:** Prominent academics and critics of Russia (e.g., Keir Giles, a British researcher on Russia, was cited as an example).
## Tools & Infrastructure
* **Malware Families Used:** None explicitly mentioned; the focus is on social engineering and leveraging native application features (ASPs).
* **Infrastructure (C2, domains, IPs):**
* **IP Address:** 91[.]190[.]191[.]117 (Used in both observed campaigns).
* **Method:** Attackers logged into accounts primarily using residential proxies and VPS servers.
## Implications
UNC6293 demonstrates a sophisticated, persistent, and low-signature approach to compromising high-value targets associated with geopolitical criticism of Russia. By circumventing standard password authentication via the use of Application Specific Passwords (ASPs), the actor gains long-term, stealthy access to sensitive communications, enabling comprehensive surveillance. The use of trusted government role-play (Department of State) highlights an attempt to exploit existing trust networks.
## Mitigations
* Users should be aware of social engineering focused on gaining OAuth/ASP credentials.
* **Application Specific Passwords (ASPs):** Users should carefully review notifications regarding ASP creation and can revoke them on demand.
* Google Workspace administrators should consider restricting the use of ASPs.
* High-risk users should utilize Google's **Advanced Protection Program (APP)**, as it prevents the creation of ASPs due to heightened security requirements.
* Be highly skeptical of unsolicited meeting requests or document lures, especially those referencing governmental entities, which prompt the creation of credentials via external links.