惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

雷峰网
雷峰网
宝玉的分享
宝玉的分享
I
InfoQ
P
Privacy International News Feed
V
V2EX
IT之家
IT之家
S
SegmentFault 最新的问题
D
Darknet – Hacking Tools, Hacker News & Cyber Security
V2EX - 技术
V2EX - 技术
C
CERT Recently Published Vulnerability Notes
C
Check Point Blog
The Register - Security
The Register - Security
爱范儿
爱范儿
博客园 - 三生石上(FineUI控件)
AWS News Blog
AWS News Blog
M
MIT News - Artificial intelligence
C
Cyber Attacks, Cyber Crime and Cyber Security
F
Fortinet All Blogs
B
Blog
N
Netflix TechBlog - Medium
B
Blog RSS Feed
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Last Week in AI
Last Week in AI
T
Threatpost
Forbes - Security
Forbes - Security
U
Unit 42
A
Arctic Wolf
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
P
Palo Alto Networks Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Recorded Future
Recorded Future
L
Lohrmann on Cybersecurity
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
P
Proofpoint News Feed
月光博客
月光博客
Spread Privacy
Spread Privacy
MongoDB | Blog
MongoDB | Blog
Jina AI
Jina AI
I
Intezer
V
Visual Studio Blog
阮一峰的网络日志
阮一峰的网络日志
The Hacker News
The Hacker News
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
L
LangChain Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园_首页
MyScale Blog
MyScale Blog
腾讯CDC
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
量子位

Cyber Kendra

Free Fire Players Can Now Win 150 Million Play Points—Every Kill Counts Free Fire Players Can Now Win 150 Million Play Points—Every Kill Counts Free Fire Players Can Now Win 150 Million Play Points—Every Kill Counts Appeal for Banned YouTube Channel— Here's How to Get Your Channel Back 3 Best Ways to Reconnect With Someone You Lost Contact With How to Block YouTube on Windows 11 What is Open-Source Intelligence (OSINT)? — History, Techniques & Tools How To Convert Windows 11 Enterprise Evaluation to Full Version AnyFlip Downloader (Free, Fast & No Login Required) – Download PDFs Instantly Cyber Kendra Cyber Kendra Cyber Kendra Cyber Kendra Cyber Security Lead Generation to Boost Your Sales Pipeline Download ExaGear APK + OBB for Android | Windows Emulator 2026 Download ExaGear APK + OBB for Android | Windows Emulator 2026 Download ExaGear APK + OBB for Android | Windows Emulator 2026 Download ExaGear APK + OBB for Android | Windows Emulator 2026 Download ExaGear APK + OBB for Android | Windows Emulator 2026 Download ExaGear APK + OBB for Android | Windows Emulator 2026 Pirates Bay Proxy List April 2026: Unblock Pirate Bay Cyber Kendra Pirates Bay Proxy List April 2026: Unblock Pirate Bay Pirates Bay Proxy List April 2026: Unblock Pirate Bay
Russian Hackers Perfect New Social Engineering Attack That Bypasses MFA
Admin · 2025-06-19 · via Cyber Kendra

Russian Social Engineering Phishing Attack

Russian government-linked hackers have developed a sophisticated new social engineering technique that successfully bypasses multi-factor authentication (MFA) by tricking targets into creating and sharing app-specific passwords—credentials that provide complete account access without triggering security alerts.

The attack, documented by both The Citizen Lab and Google's Threat Intelligence Group (GTIG), successfully compromised Keir Giles, a prominent academic expert on Russian information operations and senior associate at Chatham House. 

Google has identified this as part of a broader campaign targeting multiple academics and critics of Russia across two distinct operations running from April through June 2025.

The attack began on May 22, 2025, when Giles received what appeared to be a legitimate consultation invitation from "Claudie S. Weber," allegedly a U.S. State Department official. 

The message included multiple @state.gov email addresses in the CC field—a clever psychological trick that made the correspondence appear authentic since recipients naturally assume government employees would object if the communication were fraudulent.

Over three weeks and more than 10 email exchanges, the attackers patiently guided Giles through what they claimed was a registration process for the State Department's "MS DoS Guest Tenant" platform. They provided an official-looking PDF document with detailed instructions for creating app-specific passwords, which they falsely described as necessary credentials for accessing the secure government system.

"The attackers skillfully reframed, creating and sending them an ASP as creating and sharing a code to obtain access to an application maintained by the State Department," the Citizen Lab researchers explained. "In reality, of course, the ASP would provide them complete and persistent access to his accounts."

Understanding App-Specific Passwords

App-specific passwords (ASPs) are legitimate security features designed for applications that cannot support standard multi-factor authentication. 

When users enable MFA on accounts like Gmail, certain older applications or email clients require these special passwords to maintain access. Unlike regular passwords, ASPs bypass MFA entirely once created, making them powerful tools in the wrong hands.

Google automatically sends notifications when ASPs are created, alerting users via Gmail, recovery email, and signed-in devices. However, in this attack, the victims believed they were legitimately creating these credentials for government access, so the notifications didn't raise suspicion.

Broader Campaign Targeting Russia Critics

Google's investigation revealed this wasn't an isolated incident but part of a coordinated campaign. GTIG identified two distinct operations running simultaneously, both targeting academics and critics of Russia using nearly identical tactics. 

The second campaign employed Ukrainian and Microsoft-themed app-specific password names, suggesting the attackers are testing various geopolitical themes to maximize their success rate.

Both campaigns utilized the same residential proxy infrastructure, allowing Google to connect the operations to a single threat actor group. This infrastructure reuse also enabled Google to identify and secure additional compromised accounts beyond the initial discovery.

The attackers demonstrated sophisticated technical knowledge by having Giles enter "ms.state.gov" in the app name field—a meaningless label that nonetheless reinforced the deception that he was registering a legitimate government application. This attention to psychological detail, combined with the unhurried pacing of the attack, helped maintain credibility throughout the extended social engineering campaign.

Attribution and Broader Campaign

Google's Threat Intelligence Group later identified the attackers as UNC6293, a Russian state-sponsored group with low-confidence links to APT29 (also known as "Cozy Bear"), which is attributed to Russia's Foreign Intelligence Service. 

The same group has launched similar campaigns with Ukrainian themes, suggesting this technique is being deployed more broadly.

After successfully obtaining Giles's app-specific passwords, the attackers accessed his accounts on June 4, 2025, using a Digital Ocean IP address. Giles suspects the stolen information may be manipulated and selectively released in future disinformation campaigns—a common tactic where "falsehoods are buried in forests of facts" to lend credibility to misleading narratives.

Protecting Against Advanced Social Engineering

Security experts warn that this attack represents a concerning evolution in social engineering tactics. Traditional phishing education focuses on obvious red flags, but this campaign deliberately avoided typical warning signs through patient, responsive communication and carefully crafted legitimacy indicators.

For high-risk individuals such as journalists, activists, and researchers, Google's Advanced Protection Program provides additional safeguards against sophisticated attacks. Organizations should also audit app-specific password usage, disabling the feature unless specifically required, and educate users about the risks these credentials pose.

The incident underscores how attackers are successfully adapting to improved security measures. As MFA adoption increases and users become more aware of traditional phishing tactics, threat actors are developing increasingly sophisticated social engineering approaches that exploit the complex ecosystem of modern authentication systems.

"Attackers are constantly adjusting their tactics," the researchers noted, emphasizing the need for continuous vigilance even among security-conscious users. This case serves as a stark reminder that in cybersecurity, the human element often remains the weakest link, regardless of technical protections in place.