Russian state-sponsored hackers have found a new way to bypass Google’s two-factor authentication by exploiting a legitimate feature known as app-specific passwords.
The attackers impersonated U.S. State Department officials in a carefully crafted phishing campaign that targeted well-known academics and critics of Russia between April and early June 2025.
Security researchers from Google’s Threat Intelligence Group (GTIG) have linked the operation to a threat actor tracked as UNC6293, believed to be associated with APT29 — a group tied to Russia’s Foreign Intelligence Service (SVR). APT29, also known by aliases such as Nobelium, Cozy Bear, and Midnight Blizzard, has a long history of targeting government agencies, think tanks, and research institutions worldwide.
In one of the cases analyzed by academic research group The Citizen Lab, Russian expert Keir Giles received a phishing email claiming to be from a U.S. State Department employee named Claudie S. Weber. The email invited him to a private online conversation. Although the email originated from a Gmail account, it included several @state.gov addresses in the CC line to make it appear legitimate. Citizen Lab researchers later confirmed that no such person named Claudie S. Weber works at the State Department.
After exchanging several emails to build trust, the attacker encouraged Giles to register on a supposed State Department guest platform. As part of this process, he was asked to generate a Google app-specific password — a feature used to grant access to older apps when 2FA is enabled — and share it with the platform administrator. In reality, this gave the attacker full access to his Gmail account, bypassing the need for verification codes or other credentials.
Google’s GTIG identified two coordinated campaigns during this period: one themed around the U.S. Department of State and another involving lures related to Ukraine and Microsoft. The hackers used residential proxy servers and virtual private servers (VPS) to mask their activity and maintain anonymity while accessing compromised accounts.
These highly targeted phishing attempts show a significant level of preparation and personalization, including fake identities, credible-looking documents, and patient engagement with victims over time. The attackers did not rush their targets, making the scam harder to detect.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
To protect high-risk users such as journalists, activists, and researchers, Google recommends joining its Advanced Protection Program. This program blocks the use of app-specific passwords and enforces stricter security measures, including hardware security keys and passkeys that cannot be bypassed through phishing.
