Russian hackers have increasingly utilized sophisticated tactics to compromise Gmail security, particularly exploiting the app-specific password (ASP) feature to bypass multi-factor authentication (MFA). The ASP feature, which generates unique 16-character codes to allow access to applications without revealing full login credentials, was repurposed by these attackers as an effective mechanism for gaining unauthorized access to victims’ Gmail accounts.
Russian hackers are exploiting Gmail’s app-specific password feature to bypass multi-factor authentication, gaining unauthorized access to accounts.
The hackers engaged in elaborate social engineering campaigns, targeting prominent academics and Kremlin critics from April to early June 2025. Victims of this operation included significant figures such as Keir Giles, a recognized expert on Russian affairs. The attackers crafted highly targeted phishing messages, skillfully mimicking communications from U.S. State Department officials. These emails were remarkable for their impeccable English and professional formatting, factors that contributed to their credibility and facilitated trust-building among recipients. Unusual data usage spikes often indicated unauthorized access to victims’ accounts.
By employing prolonged social engineering tactics, the attackers cultivated rapport over several weeks, avoiding high-pressure strategies common in traditional phishing scams. The phishing messages typically presented themselves as benign meeting invitations, and the attackers included multiple fictitious “@state.gov” addresses in the CC field to bolster their legitimacy. In contrast to other attack campaigns, these sophisticated efforts demonstrate a strategic shift in how threat actors approach their targets.
Over time, discussions progressed through carefully curated email exchanges, eventually leading victims to receive thorough instructions on generating and sharing ASPs. This included a six-page PDF featuring a fake State Department letterhead, designed to mislead victims further.
This meticulous impersonation effort has been attributed to UNC6293, a cluster associated with Russia’s APT29, known as Cozy Bear. Importantly, APT29 has conducted a series of sophisticated espionage operations, earning a reputation for stealth and precision. The Google Threat Intelligence Group, along with Citizen Lab, examined these tactics, which pose significant risks to both individual privacy and broader geopolitical stability.
The intricate blend of social engineering and technical manipulation demonstrated in this campaign highlights the continuing evolution of cyber threats targeting influential individuals and institutions.
