UNC6293, a Russian cybercriminal group linked to the organization APT29, also known as Cozy Bear, Cloaked Ursa, or Midnight Blizzard, have found a way to bypass the two-factor authentication implemented by Google to protect Gmail. This method, identified by researchers at The Citizen Lab, was exploited in cyberattacks against academics, journalists, and critics of the Russian regime between April and June 2025. Two separate campaigns were recorded during the period.
An email claiming to be from the government
Described by the researchers as "a new sophisticated and personalized social engineering attack", the offensive begins with the sending of an email. The hackers impersonate officials from the United States Department of State, the federal department responsible for international relations. One of the emails studied was allegedly signed by a certain Claudie S. Weber. In the email, the official invites her contact to a "private online conversation" that requires her expertise. The attack has indeed targeted a plethora of renowned experts, such as Keir Giles, the British specialist on Russian interference.
To lull the target's suspicion, the cybercriminals show great patience. The email exchanges last several weeks. In addition, they include several @state.gov addresses as copies. In fact, the target is convinced that they are dealing with an official communication from the US government.
The Google App Password
During the conversation, the hackers will invite the expert to join the platform called MS DoS Guest Tenant. This platform should allow the target to "easily attend future meetings, regardless of when they take place". Eager to participate, the expert will accept. They will then receive a PDF file full of precise instructions on how to configure access to the platform.
In fact, the instructions are written in such a way as to encourage the victim to create a Google App password. This is a 16-digit code that allows an older or less secure app to access your Gmail account, even if two-factor authentication is enabled. Some apps, such as older email clients, connected devices, or security cameras, don't support modern authentication methods. That's why the app password exists. Once the code is created, the expert must provide it to the alleged government officials. To "complete the setup, forward this password to the person at the US State Department who invited you to join 'US DoS Guest 0365 Tenant' as a tenant member," the email reads.
Instead of setting up a government platform, victims will give Russian hackers full access to their Gmail account. Once that's done, the cybercriminals will be able to exfiltrate a wealth of confidential data. The attack doesn't involve any malware or exploits of a security vulnerability. It's entirely based on target manipulation. As Google explains, "this is not a vulnerability in Gmail itself." In fact, "attackers abused this legitimate feature through deceptive social engineering.".
Google recommends potentially targeted users join its Advanced Protection Program. Designed for at-risk individuals, this program is the highest level of security available for Google Accounts. It also disables app passwords for security reasons.
Source: Google
0 Comments