Russian APT UNC6293 Exploits Google App Passwords to Bypass 2FA, Hacks Prominent Critics

A group of hackers orchestrated a meticulously planned campaign targeting Gmail users, successfully bypassing two-factor authentication and gaining unauthorized access to their accounts. The operation was aimed at prominent experts in international security and political science—specifically researchers focused on disinformation and cyber influence.

The attackers employed an atypical and highly sophisticated social engineering tactic. Rather than relying on generic mass emails laced with threats or urgent demands, this campaign featured personalized messages crafted in an official tone, allegedly sent by employees of the U.S. Department of State.

One well-documented incident involved Keir Giles, a British analyst and specialist in Russian information operations. He received an email from a supposed Claudie S. Weber—allegedly an official representative—inviting him to participate in a closed online discussion on international coordination. The email stated that the event would be hosted via the internal platform MS DoS Guest Tenant.

Although the message came from a standard Gmail address, it appeared convincingly official: it included several cc’d @state.gov addresses, including Weber’s, creating the illusion of legitimate government correspondence. However, as later revealed, neither Weber nor the listed addresses had any affiliation with the State Department. According to Citizen Lab, the attackers exploited a quirk in the Department’s email server, which accepts messages addressed to nonexistent @state.gov inboxes without returning error notifications. This allowed the hackers to insert any “official” email addresses in the CC field, making the deception nearly indistinguishable.

The correspondence between the hacker and the target spanned several days. During the exchange, the victim was informed that participation in future sessions required a one-time registration. To complete this, the target received a PDF guide instructing how to generate an app-specific password within their Google account—a unique credential used to authorize third-party apps without the primary password.

Such passwords are commonly used for older mail clients and bypass the need for secondary authentication, effectively sidestepping two-factor protection. Once the password was generated, the victim was asked to share it with the “system administrators” to finalize registration. In reality, this handed full access to the hacker, including all emails, documents, and attachments within the victim’s account.

The cybercriminals, tracked by Google under the moniker UNC6293, are believed to operate under the auspices of intelligence services. Researchers have linked them to the group APT29—also known as Nobelium, Cozy Bear, or Midnight Blizzard—an entity active since 2008, specializing in attacks on government bodies, academic institutions, and think tanks worldwide.

According to Google’s Threat Intelligence Group, at least two such campaigns have been documented. One revolved around themes tied to the U.S. State Department, while the other referenced Microsoft and Ukraine. In all instances, attackers utilized virtual servers and residential proxies, including the IP address 91.190.191[.]117, to obscure the true origin of the connection.

Both campaigns were marked by an exceptional level of detail: forged documents, carefully crafted messages, and convincing false identities—all meticulously designed to foster trust. The hackers paid attention to every nuance, ensuring their communications appeared entirely authentic. As research indicates, adaptive phishing is becoming an increasingly potent weapon in the hands of cybercriminals.

Their targets were individuals involved in sensitive international affairs—ranging from political consultants to human rights advocates. The attackers did not merely breach accounts; they systematically hunted for intelligence of strategic importance.

As a robust protective measure, Google recommends enrolling in its Advanced Protection Program. This high-security mode eliminates the use of app-specific passwords and mandates hardware-based authentication at login. It is specifically tailored for individuals who may be subject to targeted attacks by professional threat actors.