Russian Hackers Beat Gmail 2FA with App Passwords

Russian Hackers Use Gmail App Passwords to Beat 2FA

Russian state-linked group APT29 (UNC6293) is using Google “application-specific passwords” (ASPs) to sidestep two-factor authentication on Gmail accounts. Posing as U.S. State Department officials, the attackers court academics and Kremlin critics over several weeks, then send a PDF instructing victims to generate a 16-digit ASP and email it back. With that code, the hackers configure their own mail client, gaining long-term inbox access while hiding behind residential proxies and VPS services. Google and Citizen Lab traced activity from April to early June 2025, while Microsoft spotted related tactics against Microsoft 365 tenants, such as device-join phishing. The tech giants say affected accounts have been secured, but warn that sophisticated, rapport-building social engineering is on the rise.

Security researchers at Google’s Threat Intelligence Group and Citizen Lab have linked a new phishing spree to APT29, a Kremlin-backed outfit also known as “Cozy Bear”. The campaign ran between April and early June 2025, targeting high-profile academics and outspoken critics of Russia.

How the Scam Works
1. Friendly approach – Victims receive polite meeting requests from addresses spoofed to look like Government domains. Several fake contacts are CC’d, adding a veneer of legitimacy.
2. Slow burn – Over weeks, the attackers build rapport, avoiding the pushy tactics typical of mass phishing.
3. The hook – A follow-up email delivers a PDF guide that asks the target to create a Gmail application-specific password (ASP) “for secure document sharing”.
4. The breach – Once the 16-digit ASP is handed over, APT29 sets up its own mail client, reading every email while bypassing two-factor authentication.

Why App-Specific Passwords Matter
ASPs exist so older apps can connect to Google accounts protected by 2FA. Unfortunately, anyone holding the code enjoys the same access—no extra prompts, no security alerts.
Wider Activity
Google blocked compromised accounts and noted a sister campaign themed around Ukraine. Microsoft, meanwhile, has observed similar social-engineering tricks against Microsoft 365 users, such as device-join phishing that hijacks OAuth tokens.

Staying Safe
• Never share app-specific passwords—or any security code—by email.
• Verify sender domains and look for subtle misspellings.
Enrol at-risk accounts in Google’s Advanced Protection Programme or a hardware-key solution.