Russian Hackers Bypass Gmail 2FA in Complex Phishing and Social Engineering Attack

Hackers have waged a sophisticated social engineering and phishing campaign to target a high-profile researcher by exploiting a Gmail feature.

A suspected Russia-backed group, likely APT29 (Cozy Bear), has launched an advanced phishing operation against Keir Giles, an outspoken critic of Russian aggression. The attackers bypassed multi-factor authentication (MFA) protections by exploiting a lesser-known Gmail feature that let hackers log in without actually knowing the password.

"Claudie S Weber" and the phantom platform

In early 2024, someone claiming to be a senior advisor at the US State Department, Claudie S. Weber, emailed Keir Giles. At the time, Giles was a senior fellow specializing in Russian affairs at Chatham House. Weber invited Giles to a confidential discussion via a "guest tenant platform."

Weber and Giles exchanged dozens of emails in the following weeks, all while maintaining a professional tone and decorum, sending PDF guides and even offering mock IT support when Giles started to hesitate.

"It looked plausible at first glance, but with minor inconsistencies," Giles told The Times. "They were very patient, very persistent, and incredibly well-informed."

Exploiting app-specific passwords

The attacker didn't steal Giles's password. Instead, he convinced him to generate an "app-specific password," which is actually a legitimate Gmail feature for older apps that lack modern security support.

This generated password bypassed Gmail's two-factor authentication (2FA) and granted full account access to the new user. Attackers used this feature to circumvent Google's security mechanisms entirely.

"This wasn't a flaw in Gmail itself," said Shane Huntley, head of Google's Threat Analysis Group (TAG). "The attackers abused legitimate functionality through deceptive social engineering."

Google attributed the attack to a Russian government-backed group, likely APT29 (Cozy Bear), and warned that others could be targeted, especially if they work in academia, think tanks, or mass media.

Precision and patience

The attackers started by creating a convincing Gmail account and cc'ed seemingly legitimate officials. Unfortunately, Gmail failed to mark these fake addresses, which actually ended up helping the attackers.

The phishing campaign against Keir Giles was made possible not by defeating protections head-on but by exploiting human trust. The drawback for the attackers is that it might take months for such a plan to succeed. However, this type of highly targeted plan for attack is usually reserved only for very important people.