Google says hackers used app specific passwords to bypass MFA in a targeted attack

[harlan4096]

Google has published an article that confirms hackers bypassed Gmail's multifactor authentication (MFA) to breach an individual's account. No, it probably won't happen to you, because this was a targeted attack.

The Google Threat Intelligence Group (GTIG) has explained what happened on Google's blog. It worked with Citizen Lab, which is known for its investigative reports, to probe the incident.

GITG had observed that hackers had crafted a sophisticated, personal, social engineering attack to target Keir Giles, a prominent British researcher on Russia. Google's team has labeled the threat actor as UNC6293, a likely Russia state-sponsored cyber actor, and links them with low confidence to APT29 / ICECAP (also called Cozy Bear), which has ties to Russia's Foreign Intelligence Service (SVR).

We have seen phishing attacks that involved messaging apps, and mercenary spyware such as Pegasus, but these hackers used a new technique. They had taken precautions to prevent Mr. Giles from getting suspicious. On May 22, 2025, the attackers impersonated a U.S. State Department official, "Claudie S. Weber", in an email that invited Mr. Giles for a private online consultation to discuss something in his field of expertise. The hacker simply used a Gmail address, but had CC-ed 4 @state.gov email addresses, likely to pose as a legitimate sender, and they had sent the email during Washington D.C. working hours too. In reality, the .gov addresses likely do not exist. Citizen Lab says that the language and grammar seems to suggest that the hackers had used a large language model or some similar AI tools to craft the emails.

Continue Reading...