A cyberespionage campaign linked to Russian state-sponsored actors has been observed using a little-known Google account feature, application-specific passwords (ASPs), to infiltrate victims’ email accounts, according to an investigation by Google’s Threat Intelligence Group (GTIG) and the Citizen Lab.
The threat group, tracked by Google as UNC6293 and believed to be affiliated with APT29 (aka Cozy Bear) has been targeting US-based academics and critics of the Russian government since at least April 2025. The group is believed to have ties to Russia’s intelligence services.
The attackers employed highly personalized and long-term social engineering tactics, in which victims were tricked into creating and sharing ASPs under the mistaken belief that they are enabling secure communication with the US Department of State.
“After creating the ASP, the attackers directed the target to send them the 16-character code. The attackers then set up a mail client to use the ASP, likely with the end goal of accessing and reading the victim’s email correspondence. This method also allows the attackers to have persistent access to accounts,” GTIG explained.
Phishing emails were disguised as meeting invitations and included multiple fake ‘@state.gov’ email addresses in the CC line to boost credibility. The Citizen Lab noted that this tactic exploited a flaw in the State Department’s email configuration, which fails to bounce emails sent to non-existent addresses, making the fakes harder to detect.
The attackers sent victims a PDF document with detailed instructions on generating an ASP and connecting to a fake Department of State cloud portal. Once the code was shared, the hackers used it to access the victim’s Gmail via third-party mail clients bypassing two-factor authentication and gaining long-term access.
Google noted that they also spotted a second campaign with Ukrainian themes. In both cases, the attackers used residential proxies and VPS servers to mask their locations and avoid detection.