In a troubling new wave of cyberattacks, a Russian state-sponsored cyber threat actor has been caught impersonating the U.S. Department of State to gain unauthorized access to Gmail accounts, specifically those belonging to targeted prominent academics and critics of Russia.
According to security researchers at Googleโs Threat Intelligence Group (GTIG), the attacks began in at least April and continued through early June 2025. The hackers, tracked under the name UNC6293 and suspected to be linked to the well-known APT29/ICECAP group, relied on carefully crafted social engineering tactics to extract login credentials from their victims.
Hackers Used Deception, Not Malware
Rather than using typical malware or blatant phishing links, the attackers opted for a more subtle approach. Instead, they built trust with their targets over time by sending personalized emails and fake meeting invites. To enhance their credibility, the attackers spoofed official-looking U.S. Department of State email addresses, even including them in the CC line of their messages.
One example, shared by Keir Giles, a prominent British researcher on Russia, shows a forwarded message (see below) with a seemingly credible Department of State address included among the recipientsโa key tactic used to gain trust.
Once the target responded, the attackers sent a seemingly harmless-looking PDF file โ customized to each recipient and themed to resemble official State Department communication โ with fake instructions claiming to help them access a secure U.S. government system.
In reality, the document guided the victim to create whatโs known as an Application-Specific Password (ASP)โa unique 16-character code used to allow apps access to Gmail accounts, bypassing two-step verification.
Crucially, the victim was instructed to send this code back to the attacker. Armed with the ASP, the hackers could log into the userโs email undetected, gaining long-term access without needing regular passwords or triggering MFA (multi-factor authentication) alerts.
“The attackers then set up a mail client to use the ASP, likely with the end goal of accessing and reading the victim’s email correspondence. This method also allows the attackers to have persistent access to accounts,” GTIG wrote in a blog post on Thursday.
Two Campaigns, One Strategy
ย GTIG identified two separate but related campaigns:
Campaign 1 used a U.S. State Department theme, suggesting the ASP name โms.state.gov.โ
Campaign 2 featured a mix of Ukrainian and Microsoft branding.
Both campaigns used the same residential proxies (91.190.191.117) and virtual private servers (VPS) in the infrastructure, making it easier for investigators to link them together.
Measures Taken
Google says it has already re-secured the Gmail accounts compromised by these campaigns and is actively working to prevent future attacks of this kind. The company reminds users that ASPs can be created and revoked at any time. When an ASP is created, Google automatically sends a notification to the userโs corresponding Gmail account, recovery email address, and any signed-in devices with that Google account to confirm that the action was intentional.
For high-risk users, such as journalists, activists, and political analysts, Google provides enhanced securityย resourcesย such as theย Advanced Protection Programย (APP), which offers stronger security and disables the ability to create ASPs entirely.
โWe hope that improved understanding of tactics and techniques will enhance threat hunting capabilities and lead to stronger user protections across the industry,โ concluded the blog post.
