Introduction
In a sophisticated cyber espionage campaign, the Russian state-linked group APT29 [5], also known as Cozy Bear [3] [8], targeted Keir Giles [4] [5], a senior associate at Chatham House and an expert on Russian information operations [5] [8]. This operation [1] [2] [3] [4] [7], conducted from April to early June 2025 [7] [9], focused on prominent academics and critics of Russia [7] [10], employing advanced social engineering tactics to extract sensitive information.
Description
Keir Giles [1] [2] [3] [4] [5] [6] [8] [11], a senior associate at Chatham House and an expert on Russian information operations [5] [8], was targeted in a sophisticated spear phishing campaign attributed to the Russian state-linked group APT29, also known as Cozy Bear or UNC6293 [3]. This cyber espionage group [5] [11], connected to Russia’s Foreign Intelligence Service (SVR) [5] [8] [11], conducted the operation from April to early June 2025, specifically focusing on prominent academics and critics of Russia. The attackers employed advanced social engineering tactics [7], including impersonating the US Department of State and using spoofed email addresses to enhance credibility.
The campaign began on May 22, when Giles received an email from an impersonator posing as Claudie S Weber [5], a senior advisor at the State Department [2] [4]. To further establish legitimacy, the attackers included fake @state.gov email addresses in the CC line, inviting Giles to join the State Department’s “MS DoS Guest Tenant” platform [8], a ruse designed to extract sensitive information [8]. Over ten carefully crafted emails were sent to build trust, ultimately directing him to create an Application Specific Password (ASP) for the fictitious platform, framed as a necessary security protocol for accessing a secure system [1]. This 16-character code, intended for older applications that do not support two-factor authentication (2FA), could have granted the attackers persistent access to his accounts, effectively bypassing multi-factor authentication protections [1] [4].
Throughout the exchange [8], the attackers sent a benign PDF document that appeared official and instructed Giles on creating the ASP [8], misleading him into believing this was essential for secure communications [8]. They reframed the act of sharing the ASP as a legitimate step in accessing a government resource [8], leading Giles to provide multiple ASPs across different accounts [8], including those themed around Ukraine and Microsoft. While the initial email did not contain malware [2], the subsequent messages posed a risk to his Gmail account. However, he used a different Gmail account [2], limiting potential damage [2]. After ten email exchanges [2], Giles publicly shared details of the attack [2], warning that stolen material could be manipulated for disinformation purposes [2], as he expressed concerns that Russian intelligence might attempt to alter messages in his inbox for propaganda.
Google’s security systems eventually detected suspicious activity [1], leading to the lockdown of the compromised accounts [1]. The Google Threat Intelligence Group (GTIG) intervened by blocking the malicious Gmail account and securing Giles’ inbox. They later revealed a broader campaign that included other incidents targeting academics and critics of Russia, marking a notable shift in tactics for APT29 [3], which typically focuses on larger diplomatic organizations and NGOs rather than individuals [3]. Infrastructure analysis revealed the use of residential proxies and virtual private servers (VPS) [7], linking this campaign to a broader threat cluster [7]. GTIG advised high-risk users to avoid app-specific passwords [2], particularly those enrolled in the Advanced Protection Program (APP) [2], which prevents the creation of ASPs [1]. They also recommended monitoring account activity and enabling advanced security measures [2].
This incident underscores the evolving tactics of state-aligned cyber actors [2] [5], who now integrate social engineering with AI and deep reconnaissance to target high-value individuals [2], raising concerns about the effectiveness of standard security measures. The success of this operation highlights the potential for future campaigns targeting similar authentication mechanisms across various platforms [1], as many services support app-specific password features [1]. Key indicators of compromise (IOCs) associated with this campaign have been identified for reference and mitigation purposes [7].
Conclusion
The APT29 campaign against Keir Giles highlights the increasing sophistication of state-aligned cyber actors, who are now combining social engineering with advanced technologies to target individuals. This incident emphasizes the need for enhanced security measures, such as avoiding app-specific passwords and monitoring account activity, to mitigate the risks posed by such operations. The campaign’s success suggests that similar tactics may be employed in future attacks, necessitating ongoing vigilance and adaptation of security protocols to protect against evolving threats.
References
[1] https://cybersecuritynews.com/new-sophisticated-attack-exploits-google-app-passwords/
[2] https://dig.watch/updates/chatham-house-analyst-targeted-in-phishing-attack
[3] https://insight.scmagazineuk.com/apt29-linked-hackers-behind-us-state-department-spoofing-intrusions
[4] https://www.bitdefender.com/en-us/blog/hotforsecurity/russian-hackers-bypass-gmail-2fa-in-complex-phishing-and-social-engineering-attack
[5] https://hackread.com/hackers-use-social-engineering-expert-russian-operations/
[6] https://news.risky.biz/risky-bulletin-russian-hackers-abuse-app-specific-passwords-to-bypass-mfa/
[7] https://gbhackers.com/sophisticated-phishing-attack-uses-asp-pages/
[8] https://sechub.in/view/3073311
[9] https://rewterz.com/threat-advisory/apt29-bypasses-gmail-2fa-using-app-passwords-active-iocs
[10] https://www.cyware.com/resources/threat-briefings/daily-threat-briefing/cyware-daily-threat-intelligence-june-19-2025
[11] https://www.infosecurity-magazine.com/news/russia-expert-elite-hackers-us/
