Russian Cybercriminals Posing as U.S. State Department to Steal ASP Access Code

A sophisticated Russia-linked cyber threat actor, tracked as UNC6293 by Google’s Threat Intelligence Group (GTIG), has been impersonating the U.S. Department of State to target academics and critics of Russia in a coordinated espionage campaign.

From April through early June 2025, the group deployed highly tailored social engineering tactics, leveraging detailed rapport-building and customized lures to trick targets into sharing application-specific passwords (ASPs) for their Google accounts.

This technique provides persistent mailbox access and is a rising vector in state-sponsored cyber operations.

Campaign Details and Tactics

The UNC6293 campaign began with benign-looking emails, often spoofing legitimate U.S. State Department addresses embedded in the ‘cc’ line to enhance credibility.

The initial outreach, usually packaged as meeting invitations, urged the target to respond and set up a future interaction.

Upon engagement, the attacker sent a benign, yet personalized PDF attachment containing instructions for accessing a spoofed State Department cloud environment.

The PDF instructed targets to navigate to the legitimate Google Account security page (https://account.google.com) and create an application-specific password (ASP), a 16-character code designed to enable third-party apps to access a Google account when two-step verification (2SV) is unsupported.

Attackers suggested the application name “ms.state.gov” in one campaign, and a Ukrainian or Microsoft-themed name in another, further enhancing the illusion of authenticity.

Once the ASP was generated, the attacker guided the target to share the passcode. With this credential, the attackers could connect a mail client to the victim’s Gmail account, enabling persistent, undetected access and the ability to monitor or exfiltrate sensitive correspondence.

Attackers primarily used residential proxy servers (e.g., 91.190.191.117 in both campaigns) and, in some cases, Virtual Private Servers (VPS) to mask their origins and reuse infrastructure for multiple victims or accounts.

Connection to Known Threat Actors and Mitigation

While GTIG attributes these activities to UNC6293 with only low confidence, initial assessments suggest possible links to the Russia-affiliated APT29 (also known as ICECAP).

The actor’s choice of targets prominent Russian critics and academics, along with documented tactics, aligns with broader trends in Russian state-sponsored cyber espionage.

GTIG has taken steps to secure compromised Gmail accounts and emphasizes that Google users retain complete control over their ASPs, which they can revoke at any time.

Google notifies account holders via email, recovery addresses, and signed-in devices whenever an ASP is created, alerting them to unintended changes.

For individuals at heightened risk, Google’s Advanced Protection Program (APP) offers enhanced security by prohibiting the use of ASPs altogether.

Broader Implications and Recommendations

These campaigns highlight the evolving sophistication of state-sponsored cyber threats, particularly the exploitation of trust, official branding, and legitimate digital workflows.

The GTIG’s findings, shared with the security community, underscore the importance of continued vigilance, education, and the adoption of robust security practices, especially among high-risk users.

By combining technical defenses, such as multi-factor authentication and the Advanced Protection Program, with user awareness, organizations and individuals can better defend against even the most persistent and deceptive cyber adversaries.

The collaboration between Google, external partners, and the broader security community remains vital in mitigating such threats and safeguarding digital communications.