Russian Department of Fake

In mid-2025, Google’s Threat Intelligence Group (GTIG) and the Citizen Lab exposed a sophisticated phishing campaign operated by UNC6293, a cluster attributed to the Russian state-sponsored group APT29 (also known as Cozy Bear, BlueBravo, Midnight Blizzard, and Cloaked Ursa). The campaign targets Gmail users by abusing application-specific passwords (ASPs), which are 16-digit codes used to allow access to accounts with two-factor authentication enabled.

Masquerading as officials from the U.S. Department of State, APT29 uses long-term social engineering to convince high-profile individuals to create and share ASPs, effectively bypassing Gmail’s 2FA protection and granting persistent access to the victim’s inbox. This technique illustrates a growing trend among advanced persistent threats: subverting security features not through exploits, but through deception and misuse of legitimate processes.

Targeting beyond borders

The targets in this campaign are not random. According to GTIG and Citizen Lab, the operation singles out academics, policy analysts, and political researchers based outside of Russia who have been openly critical of the Kremlin. These individuals often work in institutions with influence over foreign policy, security, or Russian affairs.

Rather than applying pressure or urgency, the campaign focuses on slow rapport-building. Attackers initiate contact through benign emails — often styled as meeting invitations — and include multiple @state.gov email addresses in the CC field. While these addresses are fake, they lend the communication an air of credibility. This tactic exploits the assumption that, if the email were illegitimate, someone else copied on the message would intervene.

Over time, the continued exchange of innocuous messages establishes trust, paving the way for the next phase of the attack.

Kremlin invitation

After a rapport is formed, the victim is sent a PDF appearing to contain instructions from the U.S. Department of State. The document asks the recipient to generate a Gmail application-specific password to access a secure government platform. This request, though disguised in official-sounding language and procedural formatting, is a phishing lure.

Once the ASP is created and shared, the attacker configures a mail client using that code. Because ASPs are designed to work with legacy systems that bypass 2FA, the attacker gains immediate and ongoing access to the target’s inbox — without triggering any additional security verification.

This includes access to emails, attachments, internal threads, personal contacts, and sensitive policy discussions. To further evade detection, APT29 routes its activity through residential proxy services and virtual private servers (VPSs), masking their location and blending into routine traffic patterns.

While the campaign doesn’t involve malware or system compromise in the traditional sense, the outcome is equally serious: the quiet, prolonged exposure of sensitive communications.

When a feature becomes a flaw

Gmail’s application-specific passwords were created to address a legitimate compatibility issue: allowing less secure applications to access Gmail accounts protected by 2FA. But like OAuth device codes and other authentication workflows, this feature can be turned into an entry point when attackers gain a victim’s trust.

APT29 has already demonstrated mastery in abusing these types of flows. Previous campaigns used device code phishing and device join phishing to hijack Microsoft 365 accounts via similarly deceptive means. This latest operation is part of that evolution — showing how threat actors can exploit not only software, but psychology and process.

The abuse of ASPs is particularly dangerous because it sidesteps many of the signals defenders rely on, including MFA challenges, login alerts, and credential stuffing protection. The attacker never needs a password. They just need the victim to generate and hand over a code, believing it’s the correct protocol.

Harden the inbox, close the door

While the Gmail ASP phishing campaign relies on user manipulation, the defensive countermeasures are technical, policy-based, and procedural. Organizations and individuals managing high-value email accounts — particularly those in academia, research, foreign policy, or government-adjacent roles — should apply the following mitigations:

• Disable application-specific passwords for all users where possible, especially in Google Workspace environments handling sensitive communications.

• Block or restrict legacy app access via admin console settings, eliminating the loophole that allows ASPs to bypass 2FA.

• Monitor for the creation of new mail clients, particularly following PDF-based email interactions or suspicious communications involving government impersonation.

• Flag and investigate login activity originating from residential proxies, VPSs, or previously unseen geographic regions.

• Conduct regular security awareness training with an emphasis on slow, non-urgent phishing techniques and trust-based deception.

• Scrutinize PDF attachments that reference credential generation, cloud access, or cross-institutional collaboration — especially when accompanied by government branding.

• Implement anomaly detection tools that trigger alerts when email access methods or authentication tokens change unexpectedly.

• Reinforce zero-trust policies that reject any unsolicited request for credential setup or shared authentication.

APT29’s abuse of Gmail ASPs is not a breach in the traditional sense — there’s no vulnerability in the software, no exploit in the code. Instead, it’s a breach in trust, executed through procedural mimicry and psychological precision. In an era of advanced phishing tactics, even legitimate security tools can become conduits for compromise.

If the request comes in the form of a PDF asking you to generate access credentials, pause. No real agency needs you to open your inbox by handing over a backdoor key.

https://thehackernews.com/2025/06/russian-apt29-exploits-gmail-app.html?m=1