Russian state-sponsored hackers linked to APT29 have developed a sophisticated social engineering campaign that bypasses Gmail's two-factor authentication by exploiting a legitimate but lesser-known feature called app-specific passwords. The multi-week operation, which targeted prominent academics and Russia critics, demonstrates an alarming evolution in phishing tactics that healthcare organizations need to understand.
What happened
Between April and early June 2025, threat actors tracked as UNC6293 by Google's Threat Intelligence Group (GTIG) conducted a targeted campaign impersonating U.S. Department of State officials. The attackers engaged in extensive rapport-building over several weeks before convincing victims to generate and share 16-character app-specific passwords (ASPs), granting persistent access to their Gmail accounts without needing their actual passwords or 2FA codes.
Going deeper
The campaign's sophistication lies in its patient, methodical approach. Attackers initially sent benign emails from Gmail accounts claiming to be from "Claudie S. Weber" at the State Department, with multiple fake @state.gov addresses in the CC line for credibility. They then engaged in multiple professional exchanges over weeks, avoiding the urgency typical of phishing attempts.
Eventually, victims were sent a detailed PDF with instructions to create an app-specific password to access a fake "MS DoS Guest Tenant" platform for "secure communications." Once victims shared the ASP code, attackers gained persistent mailbox access that bypassed all 2FA protections.
Google identified two campaign themes, one impersonating the State Department and another using Ukrainian-related lures. Attackers accessed compromised accounts through residential proxies and VPS servers to evade detection.
Why it matters
This attack method is particularly concerning for healthcare organizations because it completely bypasses multi-factor authentication, a cornerstone of HIPAA technical safeguards. The technique could easily be adapted to target healthcare executives, researchers, or IT administrators. Medical professionals accustomed to following detailed technical instructions for accessing secure platforms may be especially vulnerable. Compromised email accounts could expose PHI, enable further phishing attacks within healthcare networks, or facilitate business email compromise.
The intrigue
The campaign came to light when Keir Giles, a Russia expert at UK think tank Chatham House, fell victim and received a Google security alert. His subsequent investigation with Citizen Lab revealed the attackers' meticulous planning. They even knew that State Department email servers don't send bounce messages for non-existent addresses, adding to the deception's credibility.
This represents a pattern of innovation by Russian cyber operators, who have recently pioneered other authentication bypass techniques including device code phishing, device join phishing for Microsoft 365, and Signal account takeovers.
What they're saying
Google's researchers noted that "this method also allows the attackers to have persistent access to accounts."
The Citizen Lab observed, "This was a highly sophisticated attack, requiring the preparation of a range of fake identities, accounts, materials and elements of deception. The attacker was clearly meticulous, to the extent that even a vigilant user would be unlikely to spot out-of-place elements or details."
FAQs
What are app-specific passwords?
App-specific passwords are 16-character codes that allow older or less secure applications to access Google accounts when 2FA is enabled. They're designed for legacy email clients that can't handle modern authentication methods.
How is this different from regular phishing?
Unlike typical phishing that creates urgency or fear, this campaign involved weeks of professional correspondence to build trust. The attackers never asked for passwords or login credentials. Instead, they tricked victims into creating and sharing a legitimate access method.
Could this technique target other platforms besides Gmail?
Yes. Many services offer similar app-specific password features, including Microsoft, Apple, and Yahoo. Healthcare organizations using any email platform with this feature should review their security policies.
