- International critics of Russia and academics have received phishing emails
- Slow rapport building with fake US State Department teams
- Victims are tricked into sharing Google app-specific passwords
Google Threat Intelligence Group (GTIG) has shared details of a new threat actor tracked as UNC6293, believed to be a Russian state-sponsored group, targeting prominent academics and critics of the country.
Victims have reportedly been receiving phishing emails using spoofed ‘@state.gov’ addresses in the CC field to build credibility, but instead of being hit with immediate malicious payloads, the attackers are using social engineering tactics to build rapports with their targets.
Google’s researchers uncovered the slow-paced nature attackers used to build rapports with their victims, often sending them personalized emails and inviting them to private conversations or meetings.
Academics and critics are being targeted by Russia
In one screenshot shared by Google’s threat intelligence team, Keir Giles, a prominent British researcher on Russia, received a fake US Department of State email believed to be part of the UNC6293 campaign.
“Several of my email accounts have been targeted with a sophisticated account takeover that involved impersonating the US State Department,” Giles shared on LinkedIn.
In the attack email, victims receive a benign PDF attachment designed to look like an invitation to securely access a (fake) Department of State cloud environment. It’s this website that ultimately gives the attackers, which Google believes could be linked to APT29 (aka Cozy Bear, Nobelium), access to a user’s Gmail account.
Victims are guided to create an app-specific password (ASP) at account.google.com, and then share that 16-character ASP with the attackers.
“ASPs are randomly generated 16-character passcodes that allow third-party applications to access your Google Account, intended for applications and devices that do not support features like 2-step verification (2SV),” Google explained.
Google highlights users can create or revoke ASPs at any time, and a pop-up on its site even advises users that ASPs “aren’t recommended and are unnecessary in most cases.”
More importantly, though, is that while attacks come in all different flavors, social engineering and phishing remain highly effective vectors – and yet they’re typically comparably easy to detect, with a bit of prior understanding and training.
The standard advice, then, remains – avoid clicking on attachments from email addresses you’re unfamiliar with, and certainly never share account credentials with unknown individuals.
