Gmail Accounts Under Attack as Russian Hackers Target Critics

A newly discovered Russian hacking group, believed to be state-sponsored, is targeting Gmail passwords using clever human trickery. Known in cybersecurity circles as UNC6293, this gang is zeroing in on international voices critical of the Russian government: academics, political observers, and activists.

Rather than blasting malware immediately, the hackers are going slow. They first build trust through elaborate social engineering. Then they trick victims into handing over their Google “app‑specific passwords”, 16‑character codes that give the hackers ongoing access to Gmail.

How the Trick Works: Phishing That Feels Real

1. A Personalized Intro

Hackers begin with a friendly, customized email. They spoof a legit address, often ending in @state.gov, and CC multiple recipients to boost authenticity. Picking up on a target’s work or research gives the message a real feel.

2. “Let’s Talk in Private”

Next up, they invite victims to “secure” private chats, usually vague but professional-sounding. These exchanges build rapport, making victims feel they’re dealing with official contacts.

3. Attached PDF Invitation

The email includes a PDF that looks like a legit invitation: “Join us on a secure Department of State platform.” But that document nudges victims toward a phony login site.

4. Creating an App-Specific Password (ASP)

Rather than entering their real password, victims are asked to generate an ASP via account.google.com, a 16‑character code meant for third-party apps.
They’re convinced it’s safe because it’s not their main password, and Google even recommends ASPs in some cases.

Hackers then ask victims to send them this code, claiming it’s needed for access.

5. Ongoing Access

Once the hackers have the ASP, they can log into Gmail as if they’re the user. This lets them read messages, steal contacts, track communications, and maintain persistent access, without needing the user’s real password or approval.

View this post on Instagram

A post shared by Serge Kinda (@cyberserge)

Who’s Getting Hit and Why It Matters

The targets are well-chosen:

• Academics who publish critical research on Russian policy
• International activists working on human rights or democracy
• Journalists covering Russia
• Political critics or dissidents

One high-profile victim is Keir Giles, a British expert on Russia. He received a fake invitation that seemed to come from the U.S. State Department and noted that multiple email accounts were compromised. Attackers used a slow, seemingly innocuous approach to rope him in.

Why does this matter now?

Risk Factor	What It Means to Victims
Spear-Phishing Focus	Customized, believable messages make even smart users slip
ASP Access	Easy route to Gmail, no password reset needed, no 2FA block
Deep Reconnaissance	Hackers can read private emails, monitor activity, and steal contacts
State-Sponsored Edge	Well-resourced, patient, and capable of targeting precisely

UNC6293 is suspected to have ties to APT29, also called Cozy Bear or Nobelium, the same group behind the 2020 SolarWinds breach and other major espionage incidents. That history makes their methods especially credible and dangerous.

Why Google App Passwords Are a Weak Link

What Are App‑Specific Passwords?

Google created ASPs so apps and devices that can’t use modern security measures (like 2‑step verification) can still access your account. They’re randomly generated, 16‑character codes that let an app access Gmail without using your main password or going through multi‑factor authentication (MFA) each time.

Why Hackers Want Them

ASPs are powerful. Once someone has yours, they can:

• Log in to Gmail from anywhere without your primary password
• Keep access even after a password change, unless the app-specific password is manually revoked.
• Avoid the normal lockouts and alerts triggered by MFA

Google even warns users that ASPs “aren’t recommended and are unnecessary in most cases.” Unfortunately, few users catch that, and ASPs can remain active if manually generated and not revoked, especially on legacy devices using older protocols.

Spotting the Signs and Protecting Yourself

Despite the slick scheme, the attack shows clear phishing signs:

Watch for These Red Flags

• SPD‑Style attachments: PDFs claiming to be official invitations, especially to private platforms, are suspect.
• Spoofed email addresses: The “From” header might be fake, even if it ends in @state.gov.
• Pressure to share passwords: Legit U.S. government agencies never ask for ASPs or credentials.
• Social engineering: Unsolicited emails labeled “Let’s talk privately” with personalized details.

Practical Prevention Tips

1. Never share your ASP
   Treat it like your main password. Don’t give it to anyone, and if asked, consider it hostile.
2. Revoke unused or suspicious ASPs.
   Visit Google Account → Security → App passwords to delete any codes you don’t recognize or are not using.
3. Use modern MFA
   Use security keys or authenticator apps instead of ASPs whenever possible.
4. Inspect email headers
   View full headers to confirm a message truly comes from an official domain, not a cleverly spoofed address.
5. Beware of invites to “secure platforms.”
   If you get unexpected invites to government or private portals, verify via trusted channels before clicking.
6. Ask for help
   If unsure, reach out to your organization’s IT or Google’s security team directly.

Bigger Picture: Why This Isn’t Just Another Phish

This isn’t random spam or mass malware, it’s precision espionage. A few signs point to that:

• Targeted selection
  Only high-profile critics and analysts get these personalized emails.
• Long game
  Hackers build rapport slowly, earning trust before making any ask.
• Limited scope
  Instead of flooding thousands of inboxes, they focus on dozens, making detection much harder.
• High-value payoff
  Gmail access reveals sensitive intel, personal discussions, sources, correspondence, that state actors prize.

UNC6293’s approach isn’t flashy. It’s subtle. Similar to how Cozy Bear lay low before unleashing malware in the SolarWinds hack, this campaign is about stealth and staying hidden inside target accounts.

What to Do If You Think You’re Targeted

1. Don’t panic, but don’t ignore it.
   Responding quickly can minimize damage.
2. Revoke app‑specific passwords you didn’t create or no longer use.
   You can do this in your Google Account settings under Security > App Passwords.
3. Check your account activity
   In Gmail, click Last account activity at the bottom to view recent logins.
4. Reset your main password and enable strong MFA
   Use a password manager to generate a unique password. Enable authenticator apps or security keys, and avoid basic SMS codes.
5. Alert your contacts
   If you suspect your Gmail was compromised, tell your close contacts to ignore any strange emails from you, especially ones asking for info or links.
6. Report to Google
   Go to Security > Security Checkup in your account or visit Google’s phishing support page.
7. Consider notifying authorities or your organization’s SOC
   Especially if you’ve discussed sensitive or classified information in an email.

Takeaways: Simple Steps, Big Protection

Conclusion

• Don’t share Google app-specific passwords (ASPs) with anyone, even if the request seems official.
• Watch for spoofed emails and dangerously styled PDFs promising “secure” platforms.
• Set up real multi-factor authentication (using authenticator apps or security keys).
• Regularly review and revoke unused or suspicious ASPs in Google account settings.
• Check account activity and act fast if you spot anything unusual.
• Verify requests through trusted channels, whether IT departments or providers, before responding.

Recommended:

• Free 15GB on Gmail Without Deleting Anything
• Elon Musk Fights New York Over X Rules
• Tim Cook Faces a Silent WWDC Stage

This story was created with AI assistance and human editing.