223/68 Friday, June 20, 2025
A Russian state-linked hacking group has been detected using a highly targeted phishing technique that bypasses Gmail’s two-factor authentication (2FA) by exploiting a lesser-known Google feature called App-Specific Passwords (ASPs). According to Google’s Threat Intelligence Group, the campaign ran from April to early June, with attackers impersonating officials from the U.S. Department of State, crafting emails in flawless English and using spoofed @state.gov email addresses to appear legitimate.
One known target was Keir Giles, a researcher at Chatham House in the UK. The attacker, posing as “Claudie S. Weber,” engaged Giles in over a dozen email exchanges, carefully building trust by sending messages during business hours in Washington, D.C. Eventually, the attacker sent a forged six-page PDF bearing an official State Department letterhead. It instructed the victim to create a 16-character ASP labeled “ms.state.gov” through their Google account settings and send it back—effectively granting the attacker persistent access to the victim’s Gmail account without needing 2FA.
Citizen Lab, which was asked to investigate, called the operation highly sophisticated and linguistically polished, with no grammatical errors typical of standard phishing campaigns. Researchers suspect the attackers may have used AI tools to enhance language naturalness and reduce suspicion. Google also linked this phishing activity to other campaigns involving Ukraine-related themes, with evidence of shared residential proxy IPs used across different victim targeting attempts. In response, Google has revoked all stolen ASPs, locked affected accounts, issued alerts to users, and urged high-risk individuals to enable Advanced Protection Program (APP) and regularly audit ASP entries in their account settings.
Source https://www.securityweek.com/russian-hackers-bypass-gmail-mfa-with-app-specific-password-ruse/
