An advanced cyberattack attributed to a group linked to the Russian government has come to light, employing a deceptive technique that manipulates individuals into generating and sharing App-Specific Passwords (ASPs). This method effectively circumvents standard security protocols, including Multi-Factor Authentication (MFA).
The alarming details of this attack were unveiled through collaborative research conducted by Citizen Lab, a Toronto-based research group, and Google’s Threat Intelligence Group (GTIG). The investigation was initiated after Keir Giles, a noted authority on Russian disinformation and a senior associate at Chatham House, sought Citizen Lab’s assistance following his own targeting.
A Malicious New Approach
This strategy deviates from conventional phishing attacks by being methodical and highly convincing. The scheme began on May 22, 2025, when Mr. Giles received an email from an individual claiming to be Claudie S. Weber, allegedly a US State Department official. The authenticity of the correspondence was bolstered by the inclusion of legitimate email addresses in the “CC” field. The attackers employed a gradual approach, dispatching over ten messages over several weeks to build rapport, likely utilizing sophisticated tools to craft seemingly natural dialogue.
The primary objective was to entice Mr. Giles into registering for a counterfeit MS DoS Guest Tenant platform. Accompanying this was a professionally crafted PDF, providing step-by-step instructions that prompted him to generate an ASP for his Google account.
For context, an ASP is a unique 16-digit code utilized by legacy applications that do not support contemporary security measures. While the attackers presented this ASP as a means to access a secure government system, it ultimately granted them illicit control over his accounts.
Russian Link and Future Warnings
GTIG has identified the group orchestrating these attacks as UNC6293, which is believed to have connections to APT29, also known as Cozy Bear, a cyber espionage faction linked to Russia’s Foreign Intelligence Service (SVR). Google subsequently detected the intrusion into Mr. Giles’s accounts, initiated remedial actions to secure his credentials, and disabled the email address used by the attackers.
This incident underscores an escalating trend in cybersecurity threats, as the proliferation of security measures like MFA prompts adversaries to devise innovative strategies to sidestep them. Experts anticipate a rise in social engineering attacks aimed at exploiting ASPs.
Organizations must remain vigilant regarding the utilization of ASPs within their digital frameworks and prioritize education on emerging risks among users. Google is actively working to phase out ASP usage for business accounts in Google Workspaces while balancing security needs with user requirements for personal Gmail accounts.
