Sophisticated Phishing Attack Uses ASP Pages to Target Prominent Russia Critics -Google
Google Threat Intelligence Group (GTIG), in collaboration with external partners, has uncovered a sophisticated phishing campaign orchestrated by a Russia state-sponsored cyber threat actor, tracked as UNC6293.
Active from at least April through early June 2025, this campaign specifically targeted prominent academics and critics of Russia.
GTIG assesses with low confidence that UNC6293 is associated with APT29, also known as ICECAP, a notorious group linked to previous high-profile cyber espionage activities.
State-Sponsored Cyber Threat Actor
The attackers employed advanced social engineering tactics, impersonating the U.S. Department of State to build trust with targets through prolonged rapport-building efforts before deploying tailored phishing lures.
Their ultimate goal was to trick victims into creating and sharing Application Specific Passwords (ASPs) 16-character passcodes used to grant third-party access to Google Accounts thereby enabling persistent access to victims’ mailboxes.
The phishing operation unfolded in two distinct campaigns, both leveraging carefully crafted emails disguised as meeting invitations, with spoofed U.S. Department of State email addresses included in the CC field to bolster legitimacy.
Initial emails were not inherently malicious but encouraged responses to arrange a meeting.
Upon engagement, targets received a benign PDF lure themed around the State Department, customized to the individual, and containing instructions to access a fictitious cloud environment via https://account.google.com.
Persistent Access via ASPs
Victims were directed to create an ASP, naming it as prompted such as “ms.state.gov” in the first campaign or a Ukrainian and Microsoft-themed name in the second.
Once the ASP code was shared, attackers configured mail clients to maintain persistent access, likely to monitor and extract sensitive correspondence.
Infrastructure analysis revealed the use of residential proxies and VPS servers, including the IP 91.190.191.117, which linked the two campaigns to the same threat cluster.
GTIG has since re-secured the compromised Gmail accounts, underscoring the severity of this breach.
This tactic aligns with findings from Citizen Lab’s recent research on social engineering attacks exploiting ASPs, highlighting a growing threat to high-risk users.
Google emphasizes that users retain full control over ASPs, with the ability to create or revoke them at will, and notifications are sent to associated Gmail accounts, recovery emails, and signed-in devices to flag unauthorized activity.
For heightened security, Google recommends its Advanced Protection Program (APP), which disables ASP creation due to stricter authentication protocols, offering robust defense against such targeted attacks.
GTIG remains committed to sharing these insights with the security community to enhance threat hunting and bolster user protections industry-wide. Below are the key indicators of compromise (IOCs) associated with this campaign for reference and mitigation purposes.
Indicators of Compromise (IOCs)
| Campaign | Sender Theme | ASP Name | Attacker Infrastructure |
|---|---|---|---|
| Campaign 1 | State Department | ms.state.gov | 91.190.191.117 (Residential Proxy) |
| Campaign 2 | Unknown | Ukrainian and Microsoft-themed ASP | 91.190.191.117 (Residential Proxy) |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
