- International critics of Russia and academics have received phishing -e emails
- Slow Report Building with False US State Department
- Victims are fooled to share Google-app-specific passwords
Google Threat Intelligence Group (GIRL) has shared details of a new threat actor traced as UNC6293, which is believed to be a Russian state -sponsored group targeting prominent academics and critics of the country.
Victims have allegedly received phishing -e emails using spoofed ‘@state.gov’ addresses in the CC field to build credibility, but instead of being hit with immediate malicious payload, the striker uses social technical tactics to build report with their goals.
Google’s researchers revealed the slow nature attacks used to build report with their victims, and often sent them personal emails and invited them to private conversations or meetings.
Academics and critics are targeted by Russia
On a screenshot shared by Google’s threat information team, Keir Giles, a prominent British researcher in Russia, received a false US Department of State -E -Mail, assumed to be part of the UNC6293 campaign.
“Several of my E -mail accounts have been targeted at a sophisticated account takeover that involved imitation of the US Department of State,” Giles shared on LinkedIn.
In the attack -e -mail, victims receive a benign PDF -joined file designed to look like an invitation to secure a (false) Department of State Cloud environment. It is this site that ultimately gives attackers that Google thinks could be linked to APT29 (alias cozy bear, nobelium), access to a user’s Gmail account.
Victims are managed to create an app-specific password (asp) at account.google.com and then share the 16-character ASP with attackers.
“ASPS is randomly generated 16 character codes that allow third-party applications to access your Google account, designed for applications and devices that do not support features such as 2-step verification (2SV),” Google explained.
Google highlights users can create or revoke ASPs at any time, and a pop-up on its website even advises users that ASPs are “not recommended and are unnecessary in most cases.”
More important, however, is that while attacks come in all different tastes, social engineering and phishing remains very effective vectors – and yet they are typically comparable to detect, with a bit of prior understanding and training.
The standard counseling then remains -avoid clicking on attachments from E -Mail addresses you do not know and certainly never share account information with unknown persons.
