Russian Hackers Exploit App-Specific Passwords to Bypass Gmail MFA

Russian hackers have found a way to bypass Gmail’s multi-factor authentication (MFA) by exploiting app-specific passwords, a feature intended to enhance usability by allowing third-party applications access without the primary password. This vulnerability has been leveraged by tricking users into creating and sharing these passwords, granting unauthorized access without triggering security alerts. The hackers, believed to be linked to APT29, a group associated with Russia’s Foreign Intelligence Service, have used sophisticated social engineering tactics, including impersonating U.S. Department of State officials, to deceive their targets (Bleeping Computer). Their targets are often individuals involved in high-profile issues, such as academics and researchers critical of Russia, highlighting the strategic nature of these attacks (Citizen Lab).

Exploitation of App-Specific Passwords

Russian hackers have exploited a lesser-known feature of Google accounts—app-specific passwords—to bypass Gmail’s multi-factor authentication (MFA) safeguards. App-specific passwords are designed to allow third-party applications to access Google accounts without requiring the user’s primary password. This feature, while enhancing usability, inadvertently creates a vulnerability that can be exploited by threat actors. By tricking users into creating and sharing these passwords, hackers can gain unauthorized access to Gmail accounts without triggering security alerts. (Bleeping Computer)

Social Engineering Tactics

The hackers employed sophisticated social engineering tactics to deceive targets into creating and sharing app-specific passwords. These tactics involved impersonating U.S. Department of State officials and using meticulously crafted phishing messages. The attackers did not rush their targets but instead engaged in prolonged interactions to build trust and credibility. This approach was particularly effective against individuals involved in high-profile issues related to conflicts, litigation, or advocacy. (Citizen Lab)

Infrastructure and Anonymity

To maintain anonymity, the hackers used residential proxies and virtual private servers (VPS) in their infrastructure. This setup allowed them to log into compromised email accounts without revealing their true locations. The use of residential proxies, such as IP addresses like 91.190.191[.]117, made it difficult for security systems to detect and block the malicious activities. This level of operational security is indicative of a well-resourced and highly skilled threat actor. (Bleeping Computer)

Target Selection

The targets of this campaign were carefully chosen, focusing on individuals who are critics of Russia, especially academics and researchers. The attackers aimed to compromise accounts of people closely involved in high-profile issues, thereby gaining access to sensitive information and communications. This targeted approach underscores the strategic objectives of the hackers, likely aligned with state-sponsored espionage activities. (Rewterz)

Link to APT29

The cyber actor responsible for these attacks is tracked as UNC6293, believed to be associated with APT29, a threat group under Russia’s Foreign Intelligence Service (SVR). APT29, also known as Cozy Bear, has been active since at least 2008 and is known for targeting government networks, research institutes, and think tanks. The group’s association with state-sponsored activities suggests that these attacks are part of a broader campaign to gather intelligence and disrupt adversaries. (Cyber Kendra)

Recommendations for Protection

To protect against such sophisticated attacks, Google recommends enrolling in its Advanced Protection Program, which elevates security measures on accounts and does not allow the creation of app-specific passwords. This program is particularly suited for individuals at high risk of targeted attacks, such as journalists, activists, and political figures. Additionally, users are advised to remain vigilant against phishing attempts and to verify the authenticity of communications purportedly from official sources. (Bleeping Computer)

Final Thoughts

The exploitation of app-specific passwords by Russian hackers underscores the evolving nature of cybersecurity threats. By employing advanced social engineering tactics and maintaining anonymity through residential proxies, these hackers have demonstrated a high level of operational security and strategic targeting. This incident serves as a reminder of the importance of robust security measures and vigilance against phishing attempts. Google’s Advanced Protection Program offers a viable solution by enhancing account security and eliminating the use of app-specific passwords, which is crucial for individuals at high risk of targeted attacks (Bleeping Computer). As cyber threats continue to evolve, staying informed and adopting proactive security measures remain essential.

References

• Bleeping Computer. (2025). Russian hackers bypass Gmail MFA using stolen app passwords. https://www.bleepingcomputer.com/news/security/russian-hackers-bypass-gmail-mfa-using-stolen-app-passwords/
• Citizen Lab. (2025). Russian government-linked social engineering targets app-specific passwords. https://citizenlab.ca/2025/06/russian-government-linked-social-engineering-targets-app-specific-passwords/
• Rewterz. (2025). APT29 bypasses Gmail 2FA using app passwords: Active IOCs. https://rewterz.com/threat-advisory/apt29-bypasses-gmail-2fa-using-app-passwords-active-iocs
• Cyber Kendra. (2025). Russian hackers perfect new social engineering tactics. https://www.cyberkendra.com/2025/06/russian-hackers-perfect-new-social.html