You generated a secure password. Everything was fine — except you sent it to a spy.
You followed the instructions, adhered to the protocol — and now your email is no longer yours.
Between April and early June 2025, specialists from Google’s Threat Intelligence Group (GTIG), in cooperation with external organizations, detected a large-scale phishing campaign. The targets were prominent Western researchers, analysts, and critics of Russia. The goal was to gain trust and then gain access to their email accounts through a technique involving Google’s Application-Specific Passwords (ASP) feature.
GTIG tracks this activity under the name UNC6293 and, with low confidence, attributes it to the APT29 group. The campaign consisted of several stages. First, the attackers initiated a conversation, gradually building trust with the victim. Then, they impersonated official communication from the U.S. Department of State: the initial messages looked like standard meeting invitations, with fake email addresses resembling official government domains in the CC field.
After establishing contact, a second message followed — containing a PDF attachment. The file wasn’t malicious but was formatted to resemble official documents. It included instructions on how to create an ASP (Application-Specific Password) — a password used in Google accounts to connect apps that don’t support two-factor authentication. Victims were instructed to visit Google’s official account site and create a new ASP, using suggested password names like “ms.state.gov” in one case, and variants related to Ukraine or Microsoft in others.
The key moment came when victims were asked to send the 16-character password back. With that password, the attackers could configure an email client and gain access to the victim’s inbox — establishing persistent access without needing to reauthenticate. This enabled them to intercept sensitive correspondence and monitor researchers’ and analysts’ activity in real time.
Both observed campaigns used the same infrastructure: IP address 91.190.191.117, part of a proxy network, was used to mask the attackers’ real location. They employed both residential proxies and virtual servers, complicating traceability. GTIG noted that the same technical infrastructure was reused across multiple attack events.
After detecting and analyzing the phishing messages, Google restored access to the compromised accounts. The company also reminded users that they can revoke ASPs at any time through their account settings. When such a password is created, Google sends alerts to the primary email, recovery address, and all authorized devices — allowing users to detect and react to suspicious activity. Beyond standard protection measures, Google recommends enabling the Advanced Protection Program (APP), which is designed specifically for individuals at high risk. When APP is active, creating ASPs becomes impossible, effectively closing off this attack vector.
