6/ What's an App-Specific Password? So, not every app supports Multi-Factor Authentication.
Some older email clients don't. So providers like Google let users create a special password just for those apps.
An ASP is a string of characters that give access to *everything*
See where this is going?
Some older email clients don't. So providers like Google let users create a special password just for those apps.
An ASP is a string of characters that give access to *everything*
See where this is going?
Comments
Very much not your run-of-the-mill phishing.
Ultimately, @keirgiles.bsky.social realized something was wrong and got in touch with us @citizenlab.ca...but not before the attackers got some of his ASPs...
Threat Intelligence Group w/analysis & attribution!
Great!
Our bad actors are: 🇷🇺 #UNC6293, a #Russian state-sponsored threat actor.
Google adds bonus additional low confidence association to #APT29 (that would be the #SVR).
Nice people.
Everything was clean. Foc looked real. The language was right. Email addresses at the State Dept. seemed to be CC'd.. I could go on.
They even had Keir enter "ms.state. gov" into the ASP name...
Moving from smash & grab phishing... to subtler, slower & perhaps less detectable.
By me @jsrailton.bsky.social with Rebekah Brown & @billmarczak.org
https://citizenlab.ca/2025/06/russian-government-linked-social-engineering-targets-app-specific-passwords/
But it's just part of a trend of state-backed attackers innovating.
The folks @volexity.com have some great recent work on similar novel Russian attacks.
https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/
It's great that GTIG decided to post on this & go public with attribution.
Helpful to victims & other research teams that don't share Google's terrifying actor visibility.
By Gabby Roncone & @wxs.bsky.social
https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia