Russia-linked attackers hit target with novel social engineering attack

A prominent expert on Russian information operations was recently targeted with a sophisticated and personalized novel social engineering attack, researchers say.

“It's like they know what we all expect from them – and then did the opposite,” John Scott-Railton, a senior researcher at The Citizen Lab based at the Munk School of Global Affairs at the University of Toronto, wrote on X.

He’s one of the authors of new research claiming that Russian state-sponsored hackers have deployed a creative phishing attack on prominent academics and critics of Russia. The case of Keir Giles is presented as an example.

The attack is novel because the threat actor took great care to convince the target to set up application-specific passwords (ASPs).

Don't miss our latest stories on Google News

Follow us

ASPs are randomly generated 16-character passcodes that allow third-party applications to access your Google Account, intended for applications and devices that do not support features like 2-step verification.

Phishing lures were disguised as meeting invitations, and spoofed Department of State email addresses were added on the cc line of the initial outreach to increase the legitimacy of the contact attempt.

The message’s English is grammatical and fluent, but somewhat generic in tone, raising the possibility that the attacker used a large language model or similar tools to help craft the outreach. The message was also received within Washington DC working hours, adding an additional element of credibility.

Once Giles was convinced to create and send the attacker the ASPs for his accounts, bypassing Multi-Factor Authentication (MFA), the threat actor established persistent access to the victim’s mailbox, researchers say.

Google – which cooperated with the Citizen Lab – later spotted and blocked the attacker. Their Google Threat Intelligence Group (GTIG) labels the operator Russian state-backed UNC6293, which they link with low confidence to APT29, which is attributed to Russia’s Foreign Intelligence Service.

The revelation means that the Russian state-sponsored hackers have been adapting to the fast-changing cyber landscape.

Users are indeed more familiar with common phishing tactics, and more secure forms of MFA are being introduced. That’s why attackers are increasingly choosing more complex social-engineering strategies.

Russian state-sponsored hackers have been adapting to the fast-changing cyber landscape.

For example, a recent analysis by Cisco’s Talos reported that nearly half of the recent incidents their team responded to involved attackers trying to bypass MFA.

Different attack vectors have been detected in the recent past. Attackers can, for example, target alternate account access flows or deploy cross-platform attacks, making it more difficult for platforms and defenders to put the pieces together.

In Giles’ case, though, he was asked to create and share a screenshot of an ASP. The attack seemingly hinged on deceiving the expert into believing that, by creating and sharing an ASP, he would gain access to a secure government resource, enabling him to participate in the consultation about “certain recent developments.”

Of course, as the Citizen Lab explains, the attackers skillfully reframed creating and sending them an ASP as creating and sharing a code to obtain access to an application maintained by the State Department.

It’s quite convincing, isn’t it? Giles, who later contacted the researchers himself, said that an additional factor helping to preserve the credibility of the deception was its “unhurried pacing.” The interaction indeed unfolded over more than 10 exchanges across several weeks.

“This was a highly sophisticated attack, requiring the preparation of a range of fake identities, accounts, materials, and elements of deception. The attacker was clearly meticulous, to the extent that even a vigilant user would be unlikely to spot out-of-place elements or details,” said the Citizen Lab.