Ddos 
In a new report released in cooperation with external partners, Google Threat Intelligence Group (GTIG) has attributed a sophisticated phishing campaign to a Russia state-sponsored threat actor, tracked as UNC6293, with low confidence association to APT29 / ICECAP. The campaign targeted prominent critics of Russia and academics by exploiting a lesser-known access feature in Google accounts: Application-Specific Passwords (ASPs).
The campaign employed highly personalized phishing tactics, posing as representatives of the U.S. Department of State. The attackers crafted benign initial emails that appeared to be legitimate meeting invitations, with spoofed government addresses added to the CC line for increased credibility.
“The initial phishing email itself is not directly malicious, but encourages the victim to respond to set up a meeting,” the report explains.
Once contact was established, targets received State Department-themed PDFs containing instructions to visit the legitimate Google account settings page and generate an ASP—a 16-character passcode designed for applications that don’t support modern authentication like 2-Step Verification (2SV).
“This included directing victims to go to https://account.google.com and create an Application Specific Password (ASP) or ‘app password.’”
GTIG identified two distinct but related campaigns:
| Campaign | Theme | Suggested ASP Name | Attacker Infrastructure |
|---|---|---|---|
| 1 | U.S. State Department | ms.state.gov |
91.190.191.117 (residential proxy) |
| 2 | Ukrainian / Microsoft-themed | custom name |
Same infrastructure |
After the victim submitted the ASP code, attackers used it to configure a mail client, effectively gaining persistent access to the victim’s email without triggering additional security alerts.
“This method also allows the attackers to have persistent access to accounts,” GTIG emphasized.
What makes this campaign especially concerning is its reliance on social engineering over malware. The attackers didn’t trick users into clicking malicious links—instead, they convinced victims to generate the access key themselves and send it directly to them.
The lures were tailored and realistic, using well-known diplomatic themes and designed to bypass technical defenses. The PDF lures, while benign, guided users through every step of the compromise.
Google has since re-secured the Gmail accounts affected in these campaigns. The attack infrastructure primarily relied on residential proxies and VPS servers, some of which were reused across multiple campaigns, helping researchers correlate activity.
“We were able to connect the two distinct campaigns we observed to the same cluster,” the GTIG report states.
Related Posts:
- Google: Zero-Day Exploits Shift from Browsers to Enterprise Security Tools in 2024
- APT29’s Espionage Campaign Exploits WinRAR Flaw, Targets Embassies
- APT29 Strikes German Politics with WINELOADER Malware Assault
- DPRK IT Workers: A Global Threat Expanding in Scope and Scale
- APT29 Lures Victims with Fake BMW Ads in Latest Attack
Donate