Russian government-linked hackers have developed a sophisticated new social engineering technique that successfully bypasses multi-factor authentication (MFA) by tricking targets into creating and sharing app-specific passwords—credentials that provide complete account access without triggering security alerts.
The attack, documented by both The Citizen Lab and Google's Threat Intelligence Group (GTIG), successfully compromised Keir Giles, a prominent academic expert on Russian information operations and senior associate at Chatham House.
Google has identified this as part of a broader campaign targeting multiple academics and critics of Russia across two distinct operations running from April through June 2025.
The attack began on May 22, 2025, when Giles received what appeared to be a legitimate consultation invitation from "Claudie S. Weber," allegedly a U.S. State Department official.
The message included multiple @state.gov email addresses in the CC field—a clever psychological trick that made the correspondence appear authentic since recipients naturally assume government employees would object if the communication were fraudulent.
Over three weeks and more than 10 email exchanges, the attackers patiently guided Giles through what they claimed was a registration process for the State Department's "MS DoS Guest Tenant" platform. They provided an official-looking PDF document with detailed instructions for creating app-specific passwords, which they falsely described as necessary credentials for accessing the secure government system.
"The attackers skillfully reframed, creating and sending them an ASP as creating and sharing a code to obtain access to an application maintained by the State Department," the Citizen Lab researchers explained. "In reality, of course, the ASP would provide them complete and persistent access to his accounts."
Understanding App-Specific Passwords
App-specific passwords (ASPs) are legitimate security features designed for applications that cannot support standard multi-factor authentication.
When users enable MFA on accounts like Gmail, certain older applications or email clients require these special passwords to maintain access. Unlike regular passwords, ASPs bypass MFA entirely once created, making them powerful tools in the wrong hands.
Google automatically sends notifications when ASPs are created, alerting users via Gmail, recovery email, and signed-in devices. However, in this attack, the victims believed they were legitimately creating these credentials for government access, so the notifications didn't raise suspicion.
Broader Campaign Targeting Russia Critics
Google's investigation revealed this wasn't an isolated incident but part of a coordinated campaign. GTIG identified two distinct operations running simultaneously, both targeting academics and critics of Russia using nearly identical tactics.
The second campaign employed Ukrainian and Microsoft-themed app-specific password names, suggesting the attackers are testing various geopolitical themes to maximize their success rate.
Both campaigns utilized the same residential proxy infrastructure, allowing Google to connect the operations to a single threat actor group. This infrastructure reuse also enabled Google to identify and secure additional compromised accounts beyond the initial discovery.
The attackers demonstrated sophisticated technical knowledge by having Giles enter "ms.state.gov" in the app name field—a meaningless label that nonetheless reinforced the deception that he was registering a legitimate government application. This attention to psychological detail, combined with the unhurried pacing of the attack, helped maintain credibility throughout the extended social engineering campaign.
Attribution and Broader Campaign
Google's Threat Intelligence Group later identified the attackers as UNC6293, a Russian state-sponsored group with low-confidence links to APT29 (also known as "Cozy Bear"), which is attributed to Russia's Foreign Intelligence Service.
The same group has launched similar campaigns with Ukrainian themes, suggesting this technique is being deployed more broadly.
After successfully obtaining Giles's app-specific passwords, the attackers accessed his accounts on June 4, 2025, using a Digital Ocean IP address. Giles suspects the stolen information may be manipulated and selectively released in future disinformation campaigns—a common tactic where "falsehoods are buried in forests of facts" to lend credibility to misleading narratives.
Protecting Against Advanced Social Engineering
Security experts warn that this attack represents a concerning evolution in social engineering tactics. Traditional phishing education focuses on obvious red flags, but this campaign deliberately avoided typical warning signs through patient, responsive communication and carefully crafted legitimacy indicators.
For high-risk individuals such as journalists, activists, and researchers, Google's Advanced Protection Program provides additional safeguards against sophisticated attacks. Organizations should also audit app-specific password usage, disabling the feature unless specifically required, and educate users about the risks these credentials pose.
The incident underscores how attackers are successfully adapting to improved security measures. As MFA adoption increases and users become more aware of traditional phishing tactics, threat actors are developing increasingly sophisticated social engineering approaches that exploit the complex ecosystem of modern authentication systems.
"Attackers are constantly adjusting their tactics," the researchers noted, emphasizing the need for continuous vigilance even among security-conscious users. This case serves as a stark reminder that in cybersecurity, the human element often remains the weakest link, regardless of technical protections in place.