Russian hackers bypassed Gmail’s multi-factor authentication (MFA) through advanced social engineering attacks. They pretended to be employees of the US Department of State.
This was previously reported by BleepingComputer. The hackers targeted well-known academics and critics of Russia using a personalized attack method. They carefully constructed their approach and did not pressure their targets to take immediate action.
Between April and early June, victims received carefully crafted phishing messages with the aim of persuading them to create and share an app-specific password. This gave the hackers access to their Gmail accounts.
An app-specific password allows outdated or less secure applications, such as certain email clients, to access a Google account when two-factor authentication is enabled.
Link to Russian intelligence service
Security researchers from Google’s Threat Intelligence Group are tracking the perpetrators under the name UNC6293. They suspect that the group is state-sponsored and possibly linked to APT29, which is believed to be part of the Russian foreign intelligence service SVR.
APT29 is known by various names, including NobleBaron, Nobelium, Cozy Bear, CozyDuke, and Midnight Blizzard. The group has been active since at least 2008. Its members target government networks, research institutions, and think tanks.
Researchers at The Citizen Lab investigated a phishing attack by UNC6293 on Keir Giles, an expert in Russian information operations. The attack began with an email from someone claiming to be Claudie S. Weber of the US Department of State, inviting Giles to a private online conversation.
Although the message came from a Gmail address, several @state.gov addresses were included in the CC line, including that of Claudie S. Weber, which gave the message the appearance of being official.
The investigators could find no evidence that a Claudie S. Weber is actually employed by the department. According to them, the attacker knows that the department’s mail server accepts messages without giving an error message if an address does not exist.
After several email exchanges in which Giles expressed interest but indicated that he might not be available on the proposed date, he received an invitation to join the department’s MS DoS Guest Tenant platform. This would make it easier to attend future meetings.
Giles agreed and received a PDF with instructions on how to create an app-specific password within his Google account. This password would be required to access the platform as a guest user.
The next step was to share this password with the platform administrators in order to add the guest user to the O365 Tenant. The instructions described this as an alternative method for secure communication between Gmail users and ministry employees.
Victim grants full access
In reality, this gave the attackers full access to the victim’s Google account, according to researchers at The Citizen Lab.
According to Google, this spearphishing campaign began in April and continued until early June. During this period, two separate campaigns were identified. One with themes related to the US Department of State and one related to Ukraine and Microsoft.
Both campaigns used residential proxies (such as 91.190.191[.]117) and VPS servers to gain anonymous access to compromised email accounts.
The campaigns were very well thought out. They used multiple false identities, accounts, and supporting material to increase credibility.
The victims were often individuals involved in sensitive topics such as conflicts, legal matters, or advocacy.
Google advises such users to sign up for the Advanced Protection Program. This applies stricter security and prevents app-specific passwords from being created. It also makes it impossible to log in without a passkey.