Russian Hackers Exploit Gmail Security Using App Passwords

Sophisticated Phishing Campaigns Target Gmail Users

A Russian state-backed cyber group has bypassed Gmail’s multi-factor authentication (MFA) using app-specific passwords. The threat actor, tracked by Google’s Threat Intelligence Group (GTIG) as UNC6293, is linked to the well-known APT29 group, often referred to as Cozy Bear.

Between April and early June, the group launched a highly targeted spearphishing campaign against academics and critics of Russia. Victims received personalized emails, appearing to come from U.S. State Department officials, urging them to join secure meetings. These emails convinced targets to create and share app-specific passwords—intended for legacy apps—which the hackers then used to access their Gmail accounts.

Impersonation of U.S. Officials and Strategic Deception

One known case involved Russian analyst Keir Giles. He received emails from a fake “Claudie S. Weber” at the U.S. State Department, complete with real-looking @state.gov addresses in the CC line. Although the initial email came from Gmail, its format mimicked official government communications.

The attacker invited Giles to a “secure platform” supposedly used for State Department meetings. A PDF guide instructed him to generate an app-specific password for access. He was then told to share this code with supposed administrators—unknowingly handing over full access to his Gmail account.

Infrastructure and Recommendations from Google

Google found that UNC6293 ran at least two distinct campaigns—one themed around the U.S. State Department and another focused on Ukraine and Microsoft topics. They used a mix of residential proxies and VPS hosts to stay hidden.

CybSec News urges users at risk—especially those involved in international research or advocacy—to join Google’s Advanced Protection Program. This program disables insecure app-password options and requires strong verification steps to access Gmail accounts.