Takeover of British Russia expert’s email accounts used novel phishing tactic

Email accounts belonging to a well-known British expert on Russia were targeted with a highly customized and novel social engineering attack that relied on the use of app-specific passwords (ASPs) to get around multi-factor authentication (MFA), new research shows.

Google detected the hack, which was likely executed by a Russian state-sponsored group, according to a report published Wednesday by the company’s Threat Intelligence Group (GTIG).

The Citizen Lab, a digital forensic research organization, released its own report Wednesday summarizing Google’s findings and providing more details on the attack and how such tactics are deployed broadly. 

Keir Giles, who specializes in Russian information operations, was targeted by attackers who “took extensive measures” to keep Giles from becoming suspicious by using a “sophisticated” and never before seen phishing tactic to break into several of his email accounts, the Citizen Lab says. 

Giles sought help from the Citizen Lab after realizing his accounts were likely compromised, the organization said, noting that it published its report with his consent.

Giles announced over the weekend that several of his email accounts had in fact been compromised, warning his contacts over social media to be wary. He was tricked into generating and sharing ASPs for his accounts through well-executed social engineering methods, “bypassing” Multi-Factor Authentication (MFA), the Citizen Lab report says.

When applications don’t support MFA or don’t align with platforms’ typical log-in procedures, users often create ASPs so that the apps can access accounts even when they are protected with MFA, the Citizen Lab report says, noting that Google refers to them as “Less Secure Apps (LSAs).”

Google has been “phasing out” LSAs in Google Workspaces while still letting users generate and subsequently remove such passwords on personal Gmail accounts, according to the Citizen Lab report.

Giles told Recorded Future News that he feels let down by what he sees as Google’s role enabling the hack, even though such an incident is an “occupational hazard” for someone like him.

“The fact that [Russian threat actors] have put such enormous effort into trying to read my mail — and apparently blown an entirely new and unsuspected method of doing so in the process — is a compliment and an endorsement that I am doing the right thing,” Giles said via text.

“What concerns me more is what appears to be a massive security hole in Gmail,” he said. “It’s like investing heavily in locks for your front door, but leaving the window open for anybody that finds it inconvenient to use the keys.”

A Google spokesperson said there is “no vulnerability” connected to Google's ASPs.

“This issue stemmed from a phishing attempt,” the spokesperson said. “ASPs are not unique to Google, and are standard for validating identity across several services. These passwords should be treated like any other password.”

A plot unfolds

The attack began on May 22 with an email sent from a Gmail address, according to the Citizen Lab. The threat actor posed as a State Department official inviting Giles to a “private online conversation” with agency colleagues, the Citizen Lab report says.

Four emails using state.gov addresses were copied on the message, which the Citizen Lab says made the email exchanges appear to be legitimate.

The threat actor seemed to be aware that the State Department email server is “apparently configured to accept all messages and does not emit a ‘bounce’ even when the address does not exist,” according to the Citizen Lab.

Giles told the sender he was interested in participating, but said he had a conflict on the proposed date. From there, the Citizen Lab report says, the attacker responded with what the report calls the “core deception” —  an email inviting Giles to join a State Department “MS DoS Guest Tenant” platform.

At least 10 emails were sent back and forth, demonstrating the threat actor's discipline, the Citizen Lab says, and culminating with the attacker sending a PDF file containing directions for how to register for the “MS DoS Guest Tenant” account.

The PDF looked official, the Citizen Lab says, containing “markings and revision history.” 

The threat actor told Giles to create an ASP, saying it would “enable secure communications between internal employees and external partners,” the Citizen Lab report says, quoting from the attacker’s email message.

When Giles generated and shared a screenshot of the ASP he was in reality handing the threat actors a credential which gave them total access to his email accounts, according to the Citizen Lab.

“The attackers skillfully reframed creating and sending them an ASP as creating and sharing a code to obtain access to an application maintained by the State Department,” the Citizen Lab report says. “In reality, of course, the ASP would provide them complete and persistent access to [Giles’] accounts.”

Social engineering attacks using ASPs will likely spread, the Citizen Lab says, because threat actors are being forced to rely on more sophisticated methods as individuals become more savvy about phishing, more secure MFAs proliferate and platforms improve their ability to find and block attacks.

‘Impressively patient’ threat actors

Google sent Giles a notification saying that it had sniffed out a suspicious log-in attempt on June 4, nearly two weeks after the attack began, the Citizen Lab report says.

GTIG said a group it tracks as UNC6923 — a likely Russian state-sponsored actor — is behind the attack. The researchers determined with  “low confidence” that the operation is connected to APT29, a group also known as Cozy Bear, Midnight Blizzard or Blue Bravo.

The platform found another wave of attacks coming from the same threat group and using the same methods, the Google report says. This second campaign used a Ukrainian and Microsoft themed ASP name, GTIG says.

Giles is likely “patient zero” for the attack tactic used in this case, John Scott-Railton, who co-authored the Citizen Lab report, said via text.

He noted that the attackers were “clever and impressively patient.”

“They seem to know what people expect from Russian phishing, and in this case, they did the exact opposite,” he said. “Solid grammar, lots of credibility-enhancing details, not sending anything malicious.”

“I can see a lot of people falling for such an elaborate deception.”

Meanwhile, Giles said he is waiting for the fallout.

“The immediate challenge is dealt with, and now I am standing by to see how they make use of the messages they have stolen,” Giles said.

In a U.K. context, he said, that typically involves using proxy organizations to execute the final step of a “hack-forge-dump attack to try to smear and discredit the victim.”