Do Son 
Between April and early June 2025, experts from Google’s Threat Intelligence Group (GTIG), in collaboration with external organizations, uncovered a large-scale phishing campaign. The operation targeted prominent Western researchers, analysts, and critics of Russia. Its primary objective was to gain the trust of these individuals and subsequently compromise their email accounts using a technique that exploited Google’s Application Specific Passwords (ASP) feature.
GTIG is tracking this activity under the identifier UNC6293 and attributes it, with low confidence, to the APT29 group. The campaign unfolded in several carefully orchestrated stages. Initially, attackers initiated a correspondence designed to cultivate a rapport with the target. This was followed by emails masquerading as official communication from the U.S. Department of State—seemingly routine meeting invitations, complete with forged email addresses crafted to resemble legitimate government domains.
Once trust had been established, a second email would arrive, bearing a PDF attachment that contained no malware but was formatted to mimic official documents. This file provided detailed instructions for generating an ASP—a Google feature intended for authorizing apps that lack support for two-factor authentication. The recipient was directed to visit Google’s official account page and create a new ASP, with suggested names such as “ms.state.gov” or phrases themed around Ukraine and Microsoft.
The pivotal element of the attack was the request for the victim to send back the 16-character password they had generated. With this password in hand, the attackers could configure a mail client to access the target’s inbox, thereby establishing a persistent, unchallenged entry point—one that bypassed further authentication. This granted the adversaries real-time access to sensitive correspondence and the ability to monitor the victim’s ongoing activities.
Both recorded incidents relied on the same technical infrastructure: the IP address 91.190.191.117, part of a proxy network used to obscure the attackers’ true location. The operation made use of both residential proxies and virtual servers, complicating attribution and tracing efforts. GTIG noted the reuse of this infrastructure across multiple campaign phases.
Following the discovery and analysis of the phishing emails, Google restored access to the compromised accounts. The company also reminded users that ASPs can be revoked at any time via account settings. When an ASP is created, Google automatically issues alerts to the associated email, backup address, and all authorized devices, enabling users to detect and respond to suspicious activity promptly. Beyond conventional safeguards, Google recommends enrollment in its Advanced Protection Program (APP)—a security initiative tailored for individuals at heightened risk. Once enabled, APP prevents the generation of ASPs altogether, effectively neutralizing this attack vector.
Donate