Google’s Threat Intelligence Group (GTIG) is warning of a sophisticated new campaign by Russian state-sponsored hackers targeting academics and critics of the country. Tracked as UNC6293 and potentially linked to the notorious APT29 group (also known as Cozy Bear), the attackers are employing patient social engineering rather than immediate malware to gain their victims’ trust.
The multi-stage attack often begins with a deceptive phishing email that spoofs a U.S. State Department address to appear legitimate.
The hackers then engage in slow-paced, personalized conversations to build a rapport, eventually inviting their targets to a private meeting or conversation. In one case, prominent Russia researcher Keir Giles confirmed the campaign targeted him.
The ultimate goal is to lure the victim to a fake State Department cloud portal via a seemingly harmless PDF attachment. Once there, the site instructs the user to generate an “App-Specific Password” (ASP) for their Google account and share the 16-character code. This ASP is the key, as it allows the attackers to bypass standard two-step verification and gain full access to the victim’s Gmail account.
Google notes that ASPs are rarely necessary and not recommended for most users. The campaign serves as a powerful reminder that social engineering remains a highly effective attack vector. The standard security advice remains true: be cautious of unsolicited attachments and never share account credentials, regardless of how convincing the request may seem.
