A Russian state-linked hacking group, identified as UNC6293 and believed to be associated with APT29, has developed a sophisticated phishing technique that bypasses Gmail’s multi-factor authentication (MFA) by exploiting Google’s app-specific password (ASP) feature. This campaign targeted high-profile individuals by impersonating US State Department officials and using highly convincing social engineering tactics.
How the Attack Works
• Social Engineering: The attackers initiated contact by posing as US State Department staff, engaging targets in extended, professional email conversations to build trust. They used flawless English and even copied in fake colleagues with @state.gov email addresses.
• Phishing with ASP: After establishing rapport, the hackers sent a detailed six-page PDF, appearing to be official documentation, instructing the target to generate a 16-character app-specific password (ASP) in their Google account settings. The document directed the victim to label the password as “ms.state.gov” and send it back to the attackers “to complete secure onboarding”.
• Bypassing MFA: App-specific passwords are designed to allow third-party apps access to Gmail without needing the user’s main password or MFA code. Once the attackers received the ASP, they could access the victim’s Gmail account without triggering MFA, gaining persistent and MFA-free access.
Notable Features of the Attack
• Highly Polished Lures: The phishing emails and documents were free of typical language errors, suggesting the use of generative AI tools to avoid suspicion.
• Targeted Victims: The campaign included high-profile targets such as researchers and officials, and involved extensive preparation, including the creation of fake identities and supporting materials.
• Operational Security: The attackers routed logins through residential proxy IPs and occasionally reused the same node across different victims, making tracking more difficult.
Impact and Response
• Account Compromise: With the ASP, attackers could access Gmail accounts undetected by MFA protections, read emails, and potentially move laterally within the victim’s digital ecosystem.
• Google’s Mitigation: Google has revoked all discovered stolen passwords, locked affected accounts, and notified additional potential targets. The company recommends that high-profile users enroll in Google’s Advanced Protection Program and audit their accounts for any unauthorized ASPs.
