A professional hacking team linked to the Russian government has been caught wielding a new, low-and-slow phishing trick that beats two-factor authentication by exploiting Google’s little-known “app-specific password” feature.
According to documentation from Google’s Threat Intelligence Group, the operation ran from April into early June and impersonated US State Department officials in email threads with flawless English and copied to four bogus @state.gov colleagues.
Google tracks the threat actor as UNC6293 and believes it is linked to APT29, the Russian intelligence unit blamed for the 2016 Democratic National Committee breach. Investigators estimate the group spent weeks cultivating each target before pushing detailed instructions on the ASP (application-specific password) feature.
One victim, British writer Keir Giles of Chatham House, exchanged more than 10 emails with a sender calling herself “Claudie S. Weber.” The messages arrived during Washington business hours and used email addresses that never bounced.
Once trust was established via email back-and-forth, Google said the impostor sent a six-page PDF on fake State Department letterhead instructing the target to visit Google’s account-settings page, generate a 16-character app-specific password labelled “ms.state.gov,” and email the code back “to complete secure onboarding.”
With that code, the hackers gained persistent, MFA-free access to the target’s Gmail account.
Citizen Lab, which reviewed the lure at Giles’s request, said the emails and PDF were free of the minor language slips often seen in phishing messages. The researchers suspect generative-AI tools were used to polish the language to avoid suspicion.
“This was a highly sophisticated attack, requiring the preparation of a range of fake identities, accounts, materials and elements of deception. The attacker was clearly meticulous, to the extent that even a vigilant user would be unlikely to spot out-of-place elements or details,” Citizen Lab researchers said.
Google linked the Giles incident to a second wave centered around Ukrainian themes. In both cases, the attackers routed logins through the same residential-proxy IP and occasionally reused the node across different victims.
The tech giant said it has revoked every stolen password it found, locked affected accounts and alerted additional targets.
Google and Citizen Lab urge high-profile targets to enrol in Google’s Advanced Protection feature and audit accounts for any lingering ASPs.
Related: Russian APT29 Hackers Caught Targeting German Political Parties
Related: Microsoft Says Russian Hackers Stole Email Data From Senior Execs
Related: CISA Says Russian Hackers Targeting Western Supply-Lines to Ukraine
Related: Microsoft Says APTs Using ChatGPT for Vuln Research, Malware Scripting
