Russian hackers have managed to bypass Google’s multi-factor authentication (MFA), accessing compromised Gmail accounts through the use of app-specific passwords. This sophisticated attack is attributed to a threat actor dubbed UNC6293, which is believed to be linked to Russia’s Foreign Intelligence Service (SVR) and has a history of targeting individuals critical of the Russian government.
The campaign was meticulously constructed between April and June, where hackers sent carefully crafted phishing emails to well-known academics and critics of Russia. In one case investigated by academic research group The Citizen Lab, an email purportedly from a U.S. Department of State official invited a targeted academic to a “private online conversation.” The legitimacy of the email was enhanced by including multiple ‘@state.gov’ addresses, despite there being no record of the sender, Claudie S. Weber, being a current official.
As the phishing campaign progressed, victims were instructed to create app-specific passwords for their Google accounts, under the guise of needing these credentials to access a purported Department of State platform for secure communications. By following these instructions, victims unknowingly provided hackers with full access to their Gmail accounts.
Research conducted by Google’s Threat Intelligence Group highlighted that this is an innovative approach to phishing, as traditional methods have often rushed targets into action. Instead, this method capitalizes on a slow-paced engagement to build trust before executing the attack. Experts emphasize the importance of heightened security measures for individuals who may become targets of sophisticated social engineering campaigns, such as enrolling in Google’s Advanced Protection Program, which eliminates the possibility of creating app-specific passwords.
For further information on how attackers are successfully executing these tactics, more insights can be found in the reports from The Citizen Lab and Google Threat Intelligence Group’s blog.