A Russian government-backed hacking group known as APT29, or Cozy Bear, has launched a clever phishing campaign targeting Gmail users. What’s worrying is how they bypassed Google’s two-factor authentication (2FA) without needing to steal passwords directly. Instead, they tricked users into creating something called an app password, which lets hackers access the account without needing the usual 2FA code.
This campaign started around April 2025 and continued through June, according to Google’s Threat Analysis Group and Citizen Lab. The victims were mostly critics of the Russian government, including academics, journalists, and think tank researchers. The hackers pretended to be from the U.S. State Department, sending professional-looking emails with real-sounding names and domains. Some emails included multiple fake officials CC’d to make the message seem more authentic.
Once the target replied, the attacker would start building trust. After a few messages, they would ask the victim to generate a Gmail app password, which is a special one-time code used to access Gmail through email apps or third-party software. Normally, Google users don’t need this. But once someone generates this password and shares it, it allows full access to their inbox, even if 2FA is enabled.
The attackers didn’t use shady links or suspicious files. Instead, they sent a clean-looking PDF that included step-by-step instructions on how to generate this app password, making it seem like it was needed for “secure communication.” Victims thought they were helping government officials and never realized they were handing over access to their private accounts.
Once inside the Gmail account, the hackers could read emails, download attachments, and possibly monitor future conversations without the victim knowing. Since app passwords don’t trigger 2FA, Google’s usual protections were silently bypassed. The hackers even used residential proxy networks and VPS servers to make their logins look like normal user activity, avoiding detection.
Citizen Lab, which helped uncover the campaign, labeled it as part of a broader Russian threat effort and assigned it the name UNC6293. They also noted that APT29 has used similar tactics before, like when they hijacked Microsoft 365 accounts earlier this year by tricking people into handing over OAuth tokens (which are used to approve third-party app access). It shows that this group is not only advanced but also very patient. They take their time to build trust before launching the attack.
Google mentioned another campaign running in parallel, where similar phishing emails used Ukrainian-themed bait to trick targets into doing the same thing. These emails also asked for app passwords and followed the same playbook: build trust first, then gain access.
This method of attack is dangerous because it uses social engineering, not malware or software bugs. Instead of hacking your system, the attackers trick you into opening the door yourself. This shows that even advanced security like 2FA can be defeated if the user is fooled into helping the attacker.
To stay safe, it’s important to never share app passwords or security codes, especially through email. If someone asks for changes to your account settings, verify it using a trusted method, like calling the organization or checking their official website. Experts also recommend using security keys or passkeys, which provide stronger protection than regular 2FA.
This attack is a strong reminder that humans are the weakest link in cybersecurity. Even with the best tools, if someone tricks you into giving access, the damage can be just as bad as a full system breach. Stay alert, question unexpected requests, and always think twice before entering codes or passwords.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
