Analysis Summary

A Russian-linked hacking group, believed to be APT29 (also known as Cozy Bear), has been carrying out a sophisticated phishing campaign targeting people who are critics of Russia, especially academics and researchers. The attack focuses on a lesser-known feature of Google accounts called app passwords to bypass two-factor authentication (2FA) and gain access to victims’ email accounts.

This campaign has been active from April to early June 2025 and was uncovered by cyber researchers. The hackers, identified as UNC6293, used highly personalized phishing techniques to build trust over several weeks with their targets. Unlike typical phishing attempts that pressure users to act quickly, this group used slow and believable conversations to appear legitimate and trustworthy.

The attackers pretended to be U.S. State Department officials and sent emails that looked like meeting invitations. To make their emails seem real, they included several fake State Department email addresses in the CC line. Most victims assumed the message was genuine because it seemed unlikely that multiple officials would all be fake, especially if no one responded with a correction.

The phishing emails eventually led the target to a PDF document instructing them to generate a 16-digit app password. App passwords are meant to allow access to Google accounts through less secure apps that don’t support 2FA. By tricking the victim into creating and sharing one of these passwords, the hackers were able to bypass 2FA completely. They then used these passwords to set up their own mail client and gain ongoing access to the victim’s email without triggering any usual security alerts.

Google also reported that some similar phishing campaigns used Ukrainian-themed lures and that the hackers tried to hide their location by logging into accounts using residential proxies and virtual private servers (VPS).

This is not the first time UNC6293 has used advanced social engineering tactics. Microsoft earlier observed the same group using device code phishing, where attackers send victims a link that gives them a code. When the victim uses the code, it registers the hacker’s device to their organization, allowing the hacker to access accounts as if they were an internal employee.

These techniques show how cybercriminals are constantly evolving their methods to defeat modern security tools like 2FA. They rely not just on technical flaws but also on manipulating human trust to gain access.

Impact

• Gain Access
• Data Exfiltration
• Cyber Espionage

Indicators of Compromise

IP

• 178.62.47.109

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Avoid sharing app passwords or any codes received via email unless confirmed through secure channels
• Disable or limit the use of app passwords where possible in organizational settings
• Educate employees and users about advanced phishing tactics, including those involving app passwords or device codes
• Verify meeting invitations or email requests independently through known contacts or official phone numbers
• Use advanced email filtering and threat detection to catch phishing lures
• Regularly review account security settings and revoke unused or suspicious third-party app access
• Monitor login activity for unknown devices, locations, or proxy usage
• Enable alerts for new app password generation or device registration in admin dashboards
• Use phishing-resistant multi-factor authentication methods (e.g., security keys or authenticator apps)
• Report suspicious emails to IT/security teams and Google/Microsoft if applicable