Threat analysis by The RabitaNoor (RBTN) Cyber Research Center

Russian Hackers Bypass Gmail MFA Using Stolen App Passwords

The goals of this document is to provide technical and strategic analysis of a much larger document, audio etc.

The document is a product of the RBTN - CYOI Pulpit

Photo by Yeshi Kangrang

Document Summary

Russian hackers, identified as UNC6293 and potentially linked to APT29, bypassed Gmail's multi-factor authentication by exploiting app-specific passwords in a sophisticated social engineering attack. The campaign targeted well-known academics and critics of Russia, impersonating U.S. Department of State officials. The attackers used phishing emails to convince targets to create and share app-specific passwords, granting them access to Gmail accounts. The Citizen Lab and Google Threat Intelligence Group tracked the campaign, noting its use of residential proxies and VPS servers for anonymity. Google recommends its Advanced Protection Program to prevent such attacks.

Analysis

Overview

Timestamp: 2025-06-21

Title: Russian Hackers Bypass Gmail MFA Using Stolen App Passwords

Severity: High

The incident involves Russian hackers, identified as UNC6293, potentially linked to APT29, conducting a sophisticated phishing campaign. The adversary used social engineering to bypass Gmail MFA by exploiting app-specific passwords. The infrastructure included residential proxies and VPS servers for anonymity. Victims were well-known academics and critics of Russia, targeted for sensitive information.