A highly advanced cyber campaign backed by the Russian state has exploited Google’s App-Specific Password (ASP) feature to bypass multi-factor authentication, targeting prominent
critics of Russia. This operation highlights the growing sophistication of threat actors and the challenges high-profile individuals face in securing their digital identities.
The campaign, attributed to UNC6293 with suspected links to APT29, demonstrates a new level of precision in social engineering. Experts warn that such tactics may become more widespread as attackers adapt to modern security protections.
Targeted Social Engineering Effort
The operation gained attention when Keir Giles, a British academic and authority on Russian information warfare at Chatham House, unknowingly provided login credentials to his email accounts. On May 22, 2025, he received a message from someone posing as “Claudie S. Weber,” a supposed Senior Program Advisor at the U.S. State Department. The email invited Giles to join a confidential consultation, an offer that would seem routine to someone in his position.
What set this attack apart was the calculated pace and attention to detail. Over several weeks, the attackers built rapport through more than ten email exchanges. Their communication was consistent, grammatically sound, and free of the telltale signs often seen in phishing attempts. Some analysts believe large language models may have helped create these messages.
The attackers added credibility by copying several fake @state.gov addresses in the message, creating what Giles called “pillars of plausibility.” These false contacts were meant to simulate support from within the State Department and discourage skepticism from the target.
Exploiting Google’s ASP Feature
The technical core of the operation involved convincing Giles to create and send an App-Specific Password. These 16-character codes allow third-party applications to access Google accounts without triggering multi-factor authentication checks.
The attackers sent Giles a six-page PDF that appeared to be a legitimate State Department document. It included official formatting, markings, and revision histories. The document instructed him to generate an ASP labelled “ms.state.gov” and submit it as part of a secure onboarding process for a supposed government platform.
This well-crafted deception made it seem like Giles was following a security protocol, when in fact he was compromising his own email security. Once the attackers had the ASP, they could access his Gmail account without any multi-factor verification. Eventually, Google detected suspicious activity and locked the account. Logs later showed a login attempt from a Digital Ocean IP address on June 4, 2025.
Google’s Threat Intelligence Group identified UNC6293 as the threat actor, suggesting with moderate confidence that the group is associated with APT29, also known as Cozy Bear, a Russian intelligence unit. The same infrastructure used in this attack was linked to a second campaign focused on Ukrainian themes, pointing to a broader agenda.
Infrastructure and Tactics
Researchers found the attackers used residential proxies and VPS servers to disguise their operations. One IP address, 91.190.191.117, was reused across multiple campaigns, helping investigators connect the incidents to the same threat actor.
This campaign reflects a notable evolution in social engineering. As users grow more familiar with traditional phishing and embrace multi-factor authentication, attackers are shifting to new techniques that are harder to detect. The patience shown in this operation is uncommon. When Giles faced difficulties creating the ASP, the attackers offered detailed instructions and even requested screenshots to guide him through the process. This level of support resembles customer service and underscores the resources behind state-sponsored operations.
Mitigation and Recommendations
In response, Google is encouraging high-risk users to enroll in the Advanced Protection Program, which blocks ASP creation entirely under its stricter security protocols. Security experts also advise organizations to audit and disable ASPs unless they are absolutely necessary.
The incident has raised broader concerns about similar vulnerabilities on other platforms. Services like Apple ID also support app-specific passwords and may be vulnerable to similar methods. Giles has warned that the stolen information may be used in future influence campaigns, emphasizing the long-term risks posed by these types of targeted attacks.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
