Google Threat Intelligence Group linked a sophisticated phishing operation to a Russia-sponsored threat actor, UNC6293, targeting critics of Russia and academics using personalized tactics and legitimate-looking PDFs. The campaign exploited Application-Specific Passwords to gain persistent access to email accounts, emphasizing social engineering over malware. #UNC6293 #ICECAP #APT29 #GoogleAccountSecurity
Keypoints
- The campaign was attributed to the Russia-backed threat actor UNC6293, with a low confidence link to APT29/ICECAP.
- Attackers used personalized phishing emails impersonating the U.S. State Department and other themes.
- Victims were directed to generate Application-Specific Passwords (ASPs) to facilitate persistent access.
- The lures involved benign PDFs guiding targets through account authorization steps, bypassing malware detection.
- Google successfully re-secured affected accounts and linked the campaigns through shared infrastructure.