BURSTA sophisticated Russian state-sponsored cyber operation has successfully exploited Google’s App-Specific Password (ASP) feature to bypass multi-factor authentication protections, targeting prominent critics of Russia in a campaign that demonstrates the evolving threat landscape facing high-profile individuals.
The attack, attributed to the group UNC6293 with potential links to APT29, represents a significant advancement in social engineering tactics that security experts warn could become increasingly common as attackers adapt to stronger security measures.
Social Engineering Campaign Targets High-Profile Expert
The attack came to light when Keir Giles, a prominent British academic and expert on Russian information operations at Chatham House, was successfully deceived into providing attackers with access credentials for his email accounts.
The initial contact came through an email dated May 22, 2025, from someone claiming to be “Claudie S. Weber,” a purported Senior Program Advisor at the U.S. State Department.
The message appeared to be a legitimate invitation to participate in a private consultation, a type of request that would be routine for someone of Giles’ expertise.
What made this attack particularly sophisticated was its “unhurried pacing” and attention to credibility-building details.
The attackers invested weeks in building rapport with their target, engaging in more than 10 exchanges to establish trust and legitimacy.
The fake persona used grammatically correct English and maintained consistent communication, with some experts suggesting the attackers may have used large language models to craft their messages.
The deception was further enhanced by the inclusion of multiple fake @state.gov email addresses in the CC field of the initial outreach, creating what Giles described as “pillars of plausibility”.
These fictitious email addresses were designed to suggest that legitimate State Department employees were aware of and endorsing the communication, exploiting the target’s assumption that government officials would speak up if something was amiss.
Technical Exploitation of App-Specific Passwords
The core of the attack centered on manipulating the target into creating and sharing App-Specific Passwords, which are 16-character codes that allow third-party applications to access Google accounts without requiring standard two-factor authentication.
The attackers provided a sophisticated PDF document that appeared to be an official State Department publication, complete with proper formatting, markings, and revision history, reads the Citizenlab report.
The document instructed Giles to create an ASP with the name “ms.state.gov” and share the generated password with the attackers, framing this process as necessary to access a secure “MS DoS Guest Tenant” platform.
This clever reframing made the victim believe they were following a legitimate security protocol rather than compromising their account security.
Once the attackers obtained the ASP, they gained persistent access to Giles’ email accounts, bypassing all multi-factor authentication protections.
Google’s security systems eventually detected the suspicious activity and locked down the compromised accounts, with logs showing a suspicious login attempt on June 4, 2025, from a Digital Ocean IP address.
Google’s Threat Intelligence Group (GTIG) has identified the attackers as UNC6293, a Russian state-sponsored group that they assess with low confidence is associated with APT29, also known as ICECAP or “Cozy Bear,” which is attributed to Russia’s Foreign Intelligence Service (SVR).
The group conducted at least two distinct campaigns using similar tactics, including one with Ukrainian themes, suggesting a broader operational scope.
The attack infrastructure primarily relied on residential proxies and VPS servers, with attackers using the IP address 91.190.191.117 across multiple campaigns.
This infrastructure reuse allowed security researchers to connect the different campaigns to the same threat actor group.
Security experts note that this attack represents a significant evolution in social engineering tactics, driven by users’ increasing familiarity with traditional phishing methods and the widespread adoption of multi-factor authentication.
The attackers demonstrated remarkable patience and adaptability, working with their target to troubleshoot technical issues and providing responsive support to ensure the compromise succeeded.
When Giles initially had difficulty creating ASPs on his primary accounts, the attackers provided detailed troubleshooting assistance, even requesting screenshots of specific Google account pages to help resolve the issues.
This level of customer service-like support is unprecedented in most cyber attacks and highlights the resources and sophistication of state-sponsored operations.
Mitigation’s
Google has responded to this attack type by recommending enrollment in their Advanced Protection Program for high-risk individuals, which prevents the creation of App-Specific Passwords due to enhanced security requirements.
Security researchers also recommend that organizations audit their use of ASPs and disable them unless specifically needed for legitimate business purposes.
The success of this attack has prompted concerns about future campaigns targeting similar authentication mechanisms across other platforms.
Many services beyond Google, including Apple ID accounts, support similar app-specific password features, making them potential targets for similar social engineering campaigns.
As Giles has publicly warned, the compromised information may be manipulated and selectively released as part of future information operations, highlighting the broader strategic implications of such targeted attacks against researchers and civil society organizations.
IoC’s
SHA256: 329fda9939930e504f47d30834d769b30ebeaced7d73f3c1aadd0e48320d6b39
Live Credential Theft Attack Unmask & Instant Defense – Free Webinar
The post New Sophisticated Attack Exploits Google App Passwords to Bypass Multi-Factor Authentication appeared first on Cyber Security News.