Google’s Threat Intelligence Group (GTIG), with support from external partners, revealed a highly targeted and technically advanced phishing campaign orchestrated by a Russia state-sponsored actor identified as UNC6293.
The operation, running from at least April through early June 2025, targeted prominent academics and critics of Russia with the intent of gaining persistent access to their email accounts by exploiting Google Application Specific Passwords (ASPs).
Campaigns Exploit Application Specific Passwords
The attackers employed refined social engineering tactics, focusing on rapport building and highly tailored lures to engage their targets.
GTIG’s investigation found that UNC6293, tentatively associated with the APT29/ICECAP group, initiated contact by impersonating the U.S. Department of State.
Using non-malicious but convincing phishing emails, they invited their targets to meetings and included spoofed Department of State email addresses in the CC field to enhance credibility.
Upon eliciting a response, the threat actor sent a benign PDF document, customized to each target, containing instructions to access a fictitious Department of State cloud portal.
Victims were guided to the legitimate Google Account portal and instructed to create an Application Specific Password a 16-character passcode typically used for device or application access in environments where two-step verification (2SV) is unsupported.
The lure asked the recipient to name the ASP as “ms.state.gov” in one campaign, or use Ukrainian and Microsoft-themed names in another, and to send the code directly back to the attackers.
UNC6293 as Key Threat Actor in Operation
With the ASP in hand, the adversaries configured mail clients to access their victims’ Gmail accounts, effectively bypassing multi-factor authentication since ASPs are exempt from standard 2SV requirements.
This approach provided them with persistent and covert access, allowing continuous monitoring of sensitive communications.
Technical analysis revealed the campaigns were coordinated through attacker infrastructure that included the reuse of residential proxies and VPS resources, notably the IP address 91.190.191.117.
This overlap in infrastructure facilitated the linking of distinct phishing campaigns to the same actor cluster. Google has since taken steps to revoke illicit ASPs and secure compromised accounts.
These findings echo recent research by Citizen Lab, which highlighted the rising use of social engineering against ASPs, and underscore the growing risks faced by high-profile individuals.
While Google gives users full control over their ASPs including the ability to create or revoke them at any time GTIG strongly recommends that high-risk users enroll in Google’s Advanced Protection Program (APP).
Enrollment in APP blocks the creation of ASPs altogether, significantly reducing attack surfaces.
Google’s commitment to transparency extends to sharing intelligence with targeted organizations and the wider security community, aiming to strengthen industry-wide defenses and improve detection of emerging tactics.
The company urges all users, especially those at elevated risk, to remain vigilant to unsolicited requests for account credentials and to utilize enhanced security features wherever possible.
Indicators of Compromise (IOC)
| Campaign | Sender Theme | ASP Name | Attacker Infrastructure | Lure PDF SHA256 |
|---|---|---|---|---|
| Campaign 1 | State Department | ms.state.gov | 91.190.191.117 (Residential Proxy) | 329fda9939930e504f47d30834d769b30ebeaced7d73f3c1aadd0e48320d6b39 |
| Campaign 2 | Unknown | Ukrainian/Microsoft-themed | 91.190.191.117 (Residential Proxy) | 329fda9939930e504f47d30834d769b30ebeaced7d73f3c1aadd0e48320d6b39 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
, with support from external partners, revealed a highly targeted and technically advanced phishing campaign.){kind=link}