Russian Threat Actors Use Advanced Social Engineering to Breach Prominent Analyst’s Email
In a highly targeted cyberattack, a prominent expert on Russian disinformation was lured into bypassing his own multi-factor authentication (MFA) using application-specific passwords (ASPs). The attack, flagged by researchers from Citizen Lab, demonstrates the increasing sophistication of state-sponsored cyber operations.
The target of the attack was Keir Giles, a well-known critic of the Kremlin and an expert on Russian information operations. The operation is attributed to a Russian state-backed group tracked by Google as UNC6293 and believed—with low confidence—to be linked to APT29, a hacking group associated with Russia’s Foreign Intelligence Service.
“It’s like they know what we all expect from them – and then did the opposite,” said John Scott-Railton, senior researcher at Citizen Lab.
Attackers Bypass MFA Using Application-Specific Passwords
The phishing campaign did not rely on typical tactics like fake login pages. Instead, the attackers tricked the victim into generating and sharing ASPs—random 16-character passcodes used to allow third-party applications access to Google accounts without requiring 2FA.
ASPs are usually reserved for legacy apps or devices that can’t handle modern security protocols. In this case, however, they became the vehicle for unauthorized access.
Citizen Lab reports that Giles received a series of well-crafted, professional emails posing as outreach from the U.S. State Department. To add legitimacy, spoofed State Department addresses were CC’d in the emails, and the messages were sent during Washington D.C. working hours.
The attackers went so far as to request a screenshot of the ASP—framing it as a secure code required to access a protected State Department platform.
“The attacker was clearly meticulous, to the extent that even a vigilant user would be unlikely to spot out-of-place elements or details,” said Citizen Lab.
Personalized and Persistent: The Attack Unfolded Over Weeks
The operation involved more than a dozen emails over several weeks. The communication was calm, paced, and layered in social trust-building. Citizen Lab describes the effort as highly sophisticated and deliberate, with the attacker preparing a range of fake identities, accounts, and supporting material.
Giles himself admitted that the timing and unhurried pacing added to the deception’s credibility.
“The interaction unfolded over more than 10 exchanges across several weeks,” researchers said. “This was a highly sophisticated attack.”
The attackers may have also used large language models (LLMs) to craft the phishing emails. While grammatically sound, the messages had a generic tone—possibly a sign of AI assistance.
Google Intervenes and Identifies UNC6293 as Threat Actor
Google’s Threat Intelligence Group (GTIG), in collaboration with Citizen Lab, detected and blocked the attacker’s activity. GTIG attributed the activity to UNC6293, believed to be a Russian state-backed group and possibly connected to APT29.
Once the ASP was obtained, the attacker established long-term access to the victim’s Google mailbox, bypassing the MFA safeguards entirely. Google later revoked the attacker’s access.
Rise in MFA Bypass Attacks Alarms Cybersecurity Experts
This attack is part of a larger trend. According to Cisco Talos, nearly half of the incidents they’ve responded to recently involved threat actors attempting to bypass MFA protections.
Threat actors are shifting tactics due to the increasing awareness of phishing and the adoption of more secure MFA methods. As such, attackers now exploit alternative access flows—like ASPs—or deploy cross-platform social engineering to gain persistent access.
These attacks are hard to detect and defend against. In Giles’ case, the attacker didn’t rush but invested time and effort to build trust and maintain a sense of legitimacy throughout.
What Makes This Tactic So Effective?
- ASPs bypass MFA by design and are not typically monitored
- The phishing lure exploited the victim’s professional interests
- Messages included spoofed government emails to establish authenticity
- Language was polished and time zones matched expected norms
- Social interaction was spread out to reduce suspicion
These elements combined to outmaneuver even experienced targets.
The Bigger Picture: Cyber Threats to Critics and Researchers
This case illustrates the changing threat landscape for government critics, academics, and researchers. As defenders harden systems with MFA and other protections, attackers are shifting toward socially engineered access routes that exploit human trust rather than technical vulnerabilities.
“Users are more familiar with common phishing tactics, and more secure forms of MFA are being introduced. That’s why attackers are choosing more complex strategies,” researchers note.
Lessons for Organizations and Enterprise Security Leaders
This incident demonstrates the need to:
- Train users on lesser-known security risks like ASP misuse
- Regularly audit all forms of account access, including third-party apps
- Monitor for behavioral anomalies, even when credentials are valid
- Strengthen identity verification protocols across user-facing systems
Enterprises must assume that sophisticated actors will look beyond obvious attack vectors and instead exploit fringe access paths to reach their goals.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
