Source URL: https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia/
Source: Cloud Blog
Title: What’s in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia
Feedly Summary: Written by: Gabby Roncone, Wesley Shields
In cooperation with external partners, Google Threat Intelligence Group (GTIG) observed a Russia state-sponsored cyber threat actor impersonating the U.S. Department of State. From at least April through early June 2025, this actor targeted prominent academics and critics of Russia, often using extensive rapport building and tailored lures to convince the target to set up application specific passwords (ASPs). Once the target shares the ASP passcode, the attackers establish persistent access to the victim’s mailbox. Two distinct campaigns are detailed in this post. This activity aligns with Citizen Lab’s recent research on social engineering attacks against ASPs, another useful resource for high risk users.
GTIG tracks this activity as UNC6293, a likely Russia state-sponsored cyber actor we assess with low confidence is associated with APT29 / ICECAP. After establishing rapport, the attacker sent phishing lures disguised as meeting invitations, and added spoofed Department of State email addresses on the cc line of the initial outreach to increase the legitimacy of the contact attempt. The initial phishing email itself is not directly malicious, but encourages the victim to respond to set up a meeting.
Figure 1: Keir Giles, a prominent British researcher on Russia, posted this screenshot of an email header with fake U.S. Department of State emails that was part of a UNC6293 campaign
Targets who responded received an email with a benign PDF lure attached. The State Department themed lure is customized to the target and contains instructions to securely access a fake Department of State cloud environment. This included directing victims to go to https://account.google.com and create an Application Specific Password (ASP) or “app passwords.” ASPs are randomly generated 16-character passcodes that allow third-party applications to access your Google Account, intended for applications and devices that do not support features like 2-step verification (2SV). To use an ASP you must set it up and provide a name for the application.
Figure 2: Benign PDF document with instructions
In campaign one, the ASP name suggested in the lure PDF was “ms.state.gov” and in campaign two, we observed a Ukrainian and Microsoft themed ASP name. After creating the ASP, the attackers directed the target to send them the 16-character code. The attackers then set up a mail client to use the ASP, likely with the end goal of accessing and reading the victim’s email correspondence. This method also allows the attackers to have persistent access to accounts.
Campaign
Sender Theme
ASP Name
Attacker Infrastructure Used
Campaign 1
State Department
ms.state.gov
91.190.191.117 – Residential proxy
Campaign 2
Unknown
Ukrainian and Microsoft-themed ASP
91.190.191.117 – Residential proxy
Attackers logged into victim accounts primarily using residential proxies and VPS servers, in some cases re-using infrastructure to access different victim or attacker accounts. As a result, we were able to connect the two distinct campaigns we observed to the same cluster. We have re-secured the Gmail accounts compromised by these campaigns.
Mitigations
GTIG is committed to our mission of understanding and countering advanced threats. We use the results of our research to ensure that Google’s products are secure and to protect our users and enterprise customers.
Users have complete control over their ASPs and may create or revoke them on demand. Google Workspace administrators also have options for restricting their use, or revoking ones created by their users. Upon creation, Google sends a notification to the corresponding account Gmail, recovery email address, and any device signed in with that Google account to ensure the user intended to enable this form of authentication.
Figure 3: Google Account Help documentation on app passwords
Google provides enhanced security resources such as the Advanced Protection Program (APP), intended for individuals at high risk of targeted attacks and exposure to other serious threats. Opting to use the APP prevents an account from creating an ASP due to the program’s heightened security requirements.
We are committed to sharing our findings with the security community and with companies and individuals that may have been targeted by these activities, and we hope that improved understanding of tactics and techniques will enhance threat hunting capabilities and lead to stronger user protections across the industry.
Lure PDF Document
SHA256: 329fda9939930e504f47d30834d769b30ebeaced7d73f3c1aadd0e48320d6b39
AI Summary and Description: Yes
Summary: The text outlines a sophisticated cyber threat campaign orchestrated by a Russian state-sponsored group targeting U.S. academics and critics. The attackers employed social engineering techniques to manipulate victims into creating Application Specific Passwords (ASPs), thereby gaining unauthorized access to their email accounts. This case exemplifies current threats and mitigations in information and cloud computing security, underscoring the need for enhanced user awareness and controls.
Detailed Description: The provided content illustrates two cyber threat campaigns attributed to UNC6293, a group associated with Russian state-sponsored cyber activities. Key points of interest include:
– **Targeting Strategy**: The attackers impersonated the U.S. Department of State, engaging in rapport-building tactics to convince targeted individuals to share sensitive information.
– **Social Engineering Techniques**: By sending phishing emails that appeared legitimate (e.g., meeting invitations), they were able to lure individuals into creating ASPs under false pretenses.
– **Mechanism of Attack**:
– Victims were directed to set up a benign-sounding ASP, facilitating unauthorized access to their email accounts.
– Use of tailored lures and false credibility (i.e., spoofed email addresses) greatly increased vulnerability.
– **Persistent Access**: Once attackers obtained the ASP, they enjoyed long-term access to the victims’ email correspondence, heightening their ability to gather intelligence.
– **DNS and Infrastructure**: The attackers utilized residential proxies and virtual private servers, showing a high level of sophistication in maintaining anonymity while executing their attacks.
– **Mitigation Strategies**:
– Users have control to create or revoke ASPs on demand within their Google Accounts.
– Google Workspace administrators have enhanced capabilities for restricting ASP usage to prevent abuse.
– Implementation of the Advanced Protection Program (APP) for high-risk users, preventing the creation of ASPs in environments requiring tighter security protocols.
– **Community and Industry Collaboration**: The Google Threat Intelligence Group expresses commitment to sharing their findings with the security community to bolster defenses against such targeted threats.
**Significance**:
– For security and compliance professionals, this case emphasizes the importance of user education regarding phishing techniques and the security functionality of ASPs.
– It illustrates the need for enhanced measures in cloud computing environments to protect against social engineering tactics.
– Strengthening controls and implementing user awareness programs are crucial for minimizing risks associated with credential theft and unauthorized access in an era where cyber threats are increasingly sophisticated.
In conclusion, understanding the tactics employed by advanced persistent threat (APT) actors like UNC6293 allows security professionals to better prepare, respond, and mitigate risks in both individual and organizational contexts.