Russia Expert Targeted by Sophisticated Hackers Impersonating U.S. Officials

Keir Giles, a distinguished expert specializing in Russian information operations, has recently become a victim of an advanced spear phishing attack employing innovative social engineering tactics. The senior consulting fellow at Chatham House was deceived into disclosing app-specific passwords to an individual impersonating a United States State Department official.

This incident was investigated by the Google Threat Intelligence Group (GTIG) in collaboration with the Citizen Lab, which subsequently attributed the attack to a threat actor identified as UNC6293. There is a tentative association of this group with APT29, a cyber espionage unit connected to the Russian Foreign Intelligence Service (SVR).

Email From a Counterfeit U.S. State Department Official

On May 22, 2025, Giles received an email from an individual using the alias ‘Claudie S. Weber’, claiming to be a senior program advisor at the U.S. Department of State. The correspondence extended an invitation to discuss “certain recent developments.”

The Citizen Lab indicated that such a request would not be out of the ordinary for Giles. However, their investigation failed to uncover any records of ‘Claudie S. Weber’ in any official registries. The attacker used a Gmail account for the interaction while carbon copying four addresses that appeared to belong to the State Department, including ‘[email protected]’—a tactic designed to increase the credibility of the email.

Researchers noted that the State Department’s email system is configured to accept messages even from nonexistent addresses, thus contributing to the attack’s perceived legitimacy. Additionally, the vague and evasive tone of the correspondence suggested that a sophisticated language model may have been used to generate the text.

Exploitation of App-Specific Passwords

While the initial communication did not contain malicious attachments, a follow-up email introduced a PDF containing instructions for establishing an “MS DoS Guest Tenant” account. Giles was subsequently prompted to create an app-specific password (ASP) through his Google account, purportedly necessary for access to secure government resources related to the consultation.

In actuality, the ASP would have granted the attacker comprehensive and persistent access to Giles’s accounts. An app-specific password is utilized to enable applications incompatible with multi-factor authentication (MFA) or a platform’s standard login procedures to access accounts protected by MFA. Although Google is phasing out support for these passwords in its Workspaces due to security concerns, personal Gmail account users can still generate and manage them.

A Complex Spear Phishing Operation

Displaying caution, Giles proceeded to follow the outlined steps using an alternative account. Following numerous email exchanges, by June 14, he publicly expressed his belief that any material extracted from his accounts might be manipulated for future information dissemination efforts.

He remarked on social media that the pacing of the communications lent an added aura of legitimacy to the request. The attackers, he noted, were well-prepared to respond thoughtfully to his inquiries, displaying a calculated approach that minimized pressure, suggesting future timelines instead.

Mitigation Steps Recommended by Google

Following the detection of the breach, Google intervened by securing impacted accounts and disabling the attacker’s email. In a separate report dated June 18, GTIG highlighted another similar operation that began in April 2025, which targeted email accounts under the guise of Ukrainian and Microsoft-themed ASP requests.

The GTIG provided a series of defensive recommendations, including:

– Avoid using app-specific passwords for accounts enrolled in the Advanced Protection Program (APP), which is intended for high-risk individuals and restricts ASP creation.
– Revoke app-specific passwords when they are no longer necessary.
– Regularly monitor account activities and notifications, such as alerts from Google regarding ASP creation.
– Implement heightened security protocols akin to those provided by the Advanced Protection Program for individuals at greater risk of targeted assaults.