Russian-Linked Hackers Use Google’s App-Specific Passwords to Bypass MFA in Stealthy Phishing Campaign
A professional hacking group tied to the Russian government has been observed using a stealthy phishing technique that bypasses multi-factor authentication (MFA) by exploiting Google’s lesser-known app-specific password (ASP) feature.
According to Google’s Threat Intelligence Group, the campaign ran from April through early June and involved impersonation of U.S. State Department officials. The attackers used flawless English in email threads, often including four fake @state.gov recipients to build credibility.
Google tracks this threat actor under the designation UNC6293 and believes it is associated with APT29; a Russian intelligence unit also linked to the 2016 Democratic National Committee breach. The group reportedly invested weeks building trust with targets before introducing the ASP tactic.
One known target, Keir Giles, a British writer affiliated with Chatham House, exchanged more than ten emails with a person posing as “Claudie S. Weber.” The communications, which aligned with typical Washington D.C. business hours, appeared legitimate, with no rejected or bounced messages.
After establishing rapport, the attacker sent a six-page PDF on forged State Department letterhead. The document instructed Giles to navigate to Google’s account settings, generate a 16-character app-specific password labelled “ms.state.gov,” and send it back to finalize "secure onboarding."
With that ASP, the hackers were able to access Gmail accounts without triggering MFA protocols, granting them long-term access.
Citizen Lab, which reviewed the materials at Giles’s request, noted that the phishing emails and document lacked the usual language errors typical of such campaigns. The group suspects that generative AI may have been used to refine the content and enhance credibility.
“This was a sophisticated operation involving carefully constructed identities, documents, and methods of deception. Even cautious users would have found it difficult to detect anything suspicious,” said researchers from Citizen Lab.
Google linked this attack to a second campaign with Ukrainian-related themes. In both cases, attackers routed access through the same residential proxy IP address and occasionally reused it across multiple victims.
In response, Google has invalidated all stolen app-specific passwords, secured affected accounts, and notified additional potential targets.
Both Google and Citizen Lab strongly recommend that individuals at risk activate Google’s Advanced Protection Program and review their accounts for any unauthorized ASPs.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
