Russian Hackers Bypass Two-Factor Authentication in New Attack
▼ Summary
– British researcher Keir Giles, an expert on Russian influence operations, was targeted by a sophisticated phishing attack exploiting Gmail’s “app password” feature.
– The attack was linked to UNC6293, a group suspected of ties to Russian cyber-espionage group APT29 (Cozy Bear), targeting critics of Moscow like academics and journalists.
– Hackers impersonated a U.S. official (“Claudie S. Weber”) using fake @state.gov emails, guiding Giles over multiple emails to generate an app password, bypassing two-factor authentication.
– The attack relied on social engineering rather than malware or technical vulnerabilities, exploiting legitimate but poorly secured Gmail features.
– Google detected and blocked the intrusion, but the incident highlights vulnerabilities in current protections, prompting recommendations for high-risk users to disable app passwords.
Russian hackers have developed a sophisticated method to bypass two-factor authentication (2FA), targeting high-profile individuals through carefully crafted social engineering tactics. Security experts warn this new approach exploits legitimate account features rather than technical vulnerabilities, making it particularly dangerous.
One notable victim was British researcher Keir Giles, a specialist in Russian influence operations. Hackers posing as U.S. officials tricked him into generating an “app password”, a legitimate Gmail feature designed for software that doesn’t support 2FA. The attackers, linked to the Russian-affiliated group UNC6293 (suspected to be part of APT29, or Cozy Bear), used a multi-stage deception campaign to gain access without triggering security alerts.
The scheme began with a convincing email from a fake State Department official, complete with forged government email addresses. Over several exchanges, the hackers guided Giles through creating an app password under the pretense of official business. A professionally designed but fraudulent PDF provided step-by-step instructions, masking the attack as legitimate procedure. Once generated, the password gave hackers full account access, bypassing 2FA entirely.
Google confirmed the attack didn’t rely on malware or system flaws, just expertly executed manipulation. While the company intervened to revoke unauthorized access, the incident highlights a critical weakness: even robust security measures fail if users are tricked into disabling them manually.
Similar campaigns have targeted academics, journalists, and activists critical of the Kremlin, with attacks documented between April and June 2025. Citizen Lab, which analyzed the breach, warns that hackers are refining their tactics, prioritizing patience and psychological precision over brute-force methods.
To mitigate risks, Google now advises high-profile users to enroll in its Advanced Protection Program, which disables app passwords entirely. Security experts stress the importance of skepticism toward unsolicited requests, no matter how legitimate they appear, and recommend verifying identities through separate channels before taking sensitive actions.
This incident underscores a growing trend in cybercrime: as defenses improve, attackers shift focus to human vulnerabilities, proving that even the most secure systems can be compromised through deception.
(Source: JdG)
