Russian APT UNC6293 Exploits Google Application-Specific Passwords to Hack Critics
Ddos 
In a new report released in cooperation with external partners, Google Threat Intelligence Group (GTIG) has attributed a sophisticated phishing campaign to a Russia state-sponsored threat actor, tracked as UNC6293, with low confidence association to APT29 / ICECAP. The campaign targeted prominent critics of Russia and academics by exploiting a lesser-known access feature in Google accounts: Application-Specific Passwords (ASPs).
The campaign employed highly personalized phishing tactics, posing as representatives of the U.S. Department of State. The attackers crafted benign initial emails that appeared to be legitimate meeting invitations, with spoofed government addresses added to the CC line for increased credibility.
βThe initial phishing email itself is not directly malicious, but encourages the victim to respond to set up a meeting,β the report explains.
Once contact was established, targets received State Department-themed PDFs containing instructions to visit the legitimate Google account settings page and generate an ASPβa 16-character passcode designed for applications that donβt support modern authentication like 2-Step Verification (2SV).
βThis included directing victims to go to https://account.google.com and create an Application Specific Password (ASP) or βapp password.ββ
GTIG identified two distinct but related campaigns:
| Campaign | Theme | Suggested ASP Name | Attacker Infrastructure |
|---|---|---|---|
| 1 | U.S. State Department | ms.state.gov |
91.190.191.117 (residential proxy) |
| 2 | Ukrainian / Microsoft-themed | custom name |
Same infrastructure |
After the victim submitted the ASP code, attackers used it to configure a mail client, effectively gaining persistent access to the victimβs email without triggering additional security alerts.
βThis method also allows the attackers to have persistent access to accounts,β GTIG emphasized.
What makes this campaign especially concerning is its reliance on social engineering over malware. The attackers didnβt trick users into clicking malicious linksβinstead, they convinced victims to generate the access key themselves and send it directly to them.
The lures were tailored and realistic, using well-known diplomatic themes and designed to bypass technical defenses. The PDF lures, while benign, guided users through every step of the compromise.
Google has since re-secured the Gmail accounts affected in these campaigns. The attack infrastructure primarily relied on residential proxies and VPS servers, some of which were reused across multiple campaigns, helping researchers correlate activity.
βWe were able to connect the two distinct campaigns we observed to the same cluster,β the GTIG report states.
Related Posts:
- Google: Zero-Day Exploits Shift from Browsers to Enterprise Security Tools in 2024
- APT29’s Espionage Campaign Exploits WinRAR Flaw, Targets Embassies
- APT29 Strikes German Politics with WINELOADER Malware Assault
- DPRK IT Workers: A Global Threat Expanding in Scope and Scale
- APT29 Lures Victims with Fake BMW Ads in Latest Attack
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
