Russian state-sponsored hackers have successfully bypassed Gmail’s multi-factor authentication protections through sophisticated social engineering attacks that trick victims into creating and sharing app-specific passwords. The threat group, tracked as UNC6293 by Google’s Threat Intelligence team and believed to be associated with APT29 under Russia’s Foreign Intelligence Service, targeted prominent academics and critics of Russia between April and early June 2025. The attackers impersonated U.S. Department of State officials in carefully crafted phishing campaigns designed to convince recipients that sharing their app-specific passwords was necessary for accessing a secure government communication platform.
The attack methodology demonstrated exceptional patience and attention to detail, with hackers engaging in extended email exchanges to build trust before requesting the sensitive authentication credentials. In one documented case investigated by The Citizen Lab, the attackers targeted Russian information operations expert Keir Giles by inviting him to join a fictitious “MS DoS Guest Tenant” platform. The threat actors provided detailed PDF instructions explaining how to create app-specific passwords, falsely claiming this was required for secure external user access to State Department systems. By leveraging fake carbon-copied email addresses from legitimate state.gov domains and exploiting the State Department’s email server configuration that accepts messages to non-existent addresses, the attackers added credibility to their deception.
Security researchers emphasize that once victims share their app-specific passwords, attackers gain full access to Gmail accounts despite active two-factor authentication protections. Google has identified two distinct campaigns using themes related to the U.S. Department of State and Ukraine-Microsoft lures, with the threat actors employing residential proxies and virtual private servers to maintain anonymity when accessing compromised accounts. To protect against such advanced attacks, Google recommends high-profile individuals enroll in its Advanced Protection Program, which prevents the creation of app-specific passwords and requires additional security measures including passkey authentication for account access.