Written by: Gabby Roncone, Wesley Shields
In cooperation with external partners, Google Threat Intelligence Group (GTIG) observed a Russia state-sponsored cyber threat actor impersonating the U.S. Department of State. From at least April through early June 2025, this actor targeted prominent academics and critics of Russia, often using extensive rapport building and tailored lures to convince the target to set up application specific passwords (ASPs). Once the target shares the ASP passcode, the attackers establish persistent access to the victim’s mailbox. Two distinct campaigns are detailed in this post. This activity aligns with Citizen Lab’s recent research on social engineering attacks against ASPs, another useful resource for high risk users.
GTIG tracks this activity as UNC6293, a likely Russia state-sponsored cyber actor we assess with low confidence is associated with APT29 / ICECAP. After establishing rapport, the attacker sent phishing lures disguised as meeting invitations, and added spoofed Department of State email addresses on the cc line of the initial outreach to increase the legitimacy of the contact attempt. The initial phishing email itself is not directly malicious, but encourages the victim to respond to set up a meeting.
<
div class=”block-image_full_width”>
<div class="article-module h-c-page">
<div class="h-c-grid">
<figure class="article-image--large
h-c-grid__col
h-c-grid__col--6 h-c-grid__col--offset-3
">
<img alt="Keir
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from Threat Intelligence