What's in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia
A Russia state-sponsored cyber threat actor impersonated the U.S. Department of State to target prominent academics and critics of Russia. The attackers used extensive rapport building and tailored lures to convince targets to set up application specific passwords (ASPs). Once obtained, these ASPs allowed persistent access to victims' mailboxes. Two distinct campaigns were observed, both using residential proxies and VPS servers for access. The attackers sent phishing emails disguised as meeting invitations, including spoofed Department of State email addresses to increase legitimacy. Victims were directed to create ASPs with specific names, which the attackers then used to access their email accounts. This activity is tracked as UNC6293 and is assessed with low confidence to be associated with APT29 / ICECAP.
AI Analysis
Technical Summary
This threat campaign, tracked as UNC6293 and attributed with low confidence to the Russian state-sponsored group APT29 (also known as ICECAP), involves a sophisticated phishing operation targeting prominent academics and critics of Russia. The attackers impersonate the U.S. Department of State by sending highly tailored phishing emails disguised as meeting invitations, leveraging spoofed Department of State email addresses to enhance credibility. The core technique involves convincing victims to create Application Specific Passwords (ASPs) with attacker-specified names. ASPs are typically used to allow third-party applications or devices to access email accounts without requiring the primary account password. By obtaining these ASPs, the attackers gain persistent, stealthy access to victims' mailboxes without triggering typical login alerts or requiring repeated authentication. The campaign utilized residential proxies and VPS servers to mask attacker infrastructure and maintain access. Two distinct campaigns were observed, indicating a sustained and adaptive effort. The attackers employed extensive rapport-building and social engineering to increase the likelihood of victims complying with the ASP creation request. This method bypasses many traditional phishing defenses that focus on credential harvesting or malware delivery. The campaign is notable for its creative use of ASPs as a persistence mechanism, which is less commonly seen in phishing attacks. Indicators include a specific IP address (91.190.191.117) and a hash value linked to the campaign. The attack techniques correspond to multiple MITRE ATT&CK tactics and techniques such as T1114 (Email Collection), T1566 (Phishing), T1078 (Valid Accounts), and others related to credential access and persistence. No known exploits or CVEs are associated with this campaign, and it does not rely on software vulnerabilities but rather on social engineering and abuse of legitimate authentication features. The campaign was publicly disclosed in June 2025, with detailed analysis available from Google Cloud Threat Intelligence. Overall, this represents a targeted, state-sponsored espionage effort leveraging creative phishing and authentication abuse to compromise high-value individuals' email accounts.
Potential Impact
For European organizations, especially academic institutions, think tanks, human rights organizations, and government bodies, this campaign poses a significant espionage risk. The targeted individuals—academics and critics of Russia—are often based in or collaborate with European entities, making these organizations potential indirect victims or secondary targets. Compromise of email accounts via ASP abuse enables attackers to maintain long-term, stealthy access to sensitive communications, intellectual property, and strategic discussions. This can lead to unauthorized data exfiltration, manipulation of communications, and potential reputational damage. The persistent access granted by ASPs circumvents many standard detection mechanisms, increasing the risk of prolonged undetected espionage. Additionally, the use of spoofed U.S. Department of State emails may cause confusion and mistrust in official communications, potentially disrupting diplomatic or academic collaborations. The campaign’s focus on tailored social engineering means that European organizations with prominent Russia-related research or policy roles are at elevated risk. While the campaign does not directly target European infrastructure or systems, the human targets within Europe are critical nodes in the information ecosystem, and their compromise could have cascading effects on European policy, research integrity, and security.
Mitigation Recommendations
1. Implement strict monitoring and auditing of Application Specific Passwords (ASPs) usage within organizational email systems, including alerts for newly created ASPs and unusual naming conventions. 2. Educate high-risk personnel, especially academics and policy experts, about the specific phishing tactics used in this campaign, emphasizing skepticism of unsolicited meeting invitations and requests to create ASPs. 3. Enforce multi-factor authentication (MFA) methods that do not rely solely on ASPs, or restrict the use of ASPs where possible, favoring modern OAuth tokens or app-based authentication. 4. Deploy advanced email security solutions that can detect and block spoofed emails, including DMARC, DKIM, and SPF enforcement, combined with anomaly detection for sender behavior. 5. Conduct regular threat hunting focused on detecting persistent access via ASPs, including reviewing mailbox access logs for unusual IP addresses or proxy usage. 6. Collaborate with national cybersecurity centers and intelligence-sharing platforms to receive timely indicators of compromise related to UNC6293 and APT29. 7. Encourage the use of secure communication platforms for sensitive discussions, reducing reliance on email accounts vulnerable to such phishing. 8. Implement endpoint detection and response (EDR) tools that can identify lateral movement or data exfiltration attempts following mailbox compromise. These measures go beyond generic advice by focusing on the unique ASP abuse vector and the social engineering nuances of this campaign.
Affected Countries
United Kingdom, Germany, France, Netherlands, Sweden, Poland, Estonia
Indicators of Compromise
- hash: 329fda9939930e504f47d30834d769b30ebeaced7d73f3c1aadd0e48320d6b39
- ip: 91.190.191.117
What's in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia
Description
A Russia state-sponsored cyber threat actor impersonated the U.S. Department of State to target prominent academics and critics of Russia. The attackers used extensive rapport building and tailored lures to convince targets to set up application specific passwords (ASPs). Once obtained, these ASPs allowed persistent access to victims' mailboxes. Two distinct campaigns were observed, both using residential proxies and VPS servers for access. The attackers sent phishing emails disguised as meeting invitations, including spoofed Department of State email addresses to increase legitimacy. Victims were directed to create ASPs with specific names, which the attackers then used to access their email accounts. This activity is tracked as UNC6293 and is assessed with low confidence to be associated with APT29 / ICECAP.
AI-Powered Analysis
Technical Analysis
This threat campaign, tracked as UNC6293 and attributed with low confidence to the Russian state-sponsored group APT29 (also known as ICECAP), involves a sophisticated phishing operation targeting prominent academics and critics of Russia. The attackers impersonate the U.S. Department of State by sending highly tailored phishing emails disguised as meeting invitations, leveraging spoofed Department of State email addresses to enhance credibility. The core technique involves convincing victims to create Application Specific Passwords (ASPs) with attacker-specified names. ASPs are typically used to allow third-party applications or devices to access email accounts without requiring the primary account password. By obtaining these ASPs, the attackers gain persistent, stealthy access to victims' mailboxes without triggering typical login alerts or requiring repeated authentication. The campaign utilized residential proxies and VPS servers to mask attacker infrastructure and maintain access. Two distinct campaigns were observed, indicating a sustained and adaptive effort. The attackers employed extensive rapport-building and social engineering to increase the likelihood of victims complying with the ASP creation request. This method bypasses many traditional phishing defenses that focus on credential harvesting or malware delivery. The campaign is notable for its creative use of ASPs as a persistence mechanism, which is less commonly seen in phishing attacks. Indicators include a specific IP address (91.190.191.117) and a hash value linked to the campaign. The attack techniques correspond to multiple MITRE ATT&CK tactics and techniques such as T1114 (Email Collection), T1566 (Phishing), T1078 (Valid Accounts), and others related to credential access and persistence. No known exploits or CVEs are associated with this campaign, and it does not rely on software vulnerabilities but rather on social engineering and abuse of legitimate authentication features. The campaign was publicly disclosed in June 2025, with detailed analysis available from Google Cloud Threat Intelligence. Overall, this represents a targeted, state-sponsored espionage effort leveraging creative phishing and authentication abuse to compromise high-value individuals' email accounts.
Potential Impact
For European organizations, especially academic institutions, think tanks, human rights organizations, and government bodies, this campaign poses a significant espionage risk. The targeted individuals—academics and critics of Russia—are often based in or collaborate with European entities, making these organizations potential indirect victims or secondary targets. Compromise of email accounts via ASP abuse enables attackers to maintain long-term, stealthy access to sensitive communications, intellectual property, and strategic discussions. This can lead to unauthorized data exfiltration, manipulation of communications, and potential reputational damage. The persistent access granted by ASPs circumvents many standard detection mechanisms, increasing the risk of prolonged undetected espionage. Additionally, the use of spoofed U.S. Department of State emails may cause confusion and mistrust in official communications, potentially disrupting diplomatic or academic collaborations. The campaign’s focus on tailored social engineering means that European organizations with prominent Russia-related research or policy roles are at elevated risk. While the campaign does not directly target European infrastructure or systems, the human targets within Europe are critical nodes in the information ecosystem, and their compromise could have cascading effects on European policy, research integrity, and security.
Mitigation Recommendations
1. Implement strict monitoring and auditing of Application Specific Passwords (ASPs) usage within organizational email systems, including alerts for newly created ASPs and unusual naming conventions. 2. Educate high-risk personnel, especially academics and policy experts, about the specific phishing tactics used in this campaign, emphasizing skepticism of unsolicited meeting invitations and requests to create ASPs. 3. Enforce multi-factor authentication (MFA) methods that do not rely solely on ASPs, or restrict the use of ASPs where possible, favoring modern OAuth tokens or app-based authentication. 4. Deploy advanced email security solutions that can detect and block spoofed emails, including DMARC, DKIM, and SPF enforcement, combined with anomaly detection for sender behavior. 5. Conduct regular threat hunting focused on detecting persistent access via ASPs, including reviewing mailbox access logs for unusual IP addresses or proxy usage. 6. Collaborate with national cybersecurity centers and intelligence-sharing platforms to receive timely indicators of compromise related to UNC6293 and APT29. 7. Encourage the use of secure communication platforms for sensitive discussions, reducing reliance on email accounts vulnerable to such phishing. 8. Implement endpoint detection and response (EDR) tools that can identify lateral movement or data exfiltration attempts following mailbox compromise. These measures go beyond generic advice by focusing on the unique ASP abuse vector and the social engineering nuances of this campaign.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia"]
- Adversary
- UNC6293
- Pulse Id
- 68534db49e60b787909cdf94
- Threat Score
- null
Indicators of Compromise
Hash
Value | Description | Copy |
---|---|---|
hash329fda9939930e504f47d30834d769b30ebeaced7d73f3c1aadd0e48320d6b39 | — |
Ip
Value | Description | Copy |
---|---|---|
ip91.190.191.117 | — |
Threat ID: 6854621733c7acc0460e0d2f
Added to database: 6/19/2025, 7:16:39 PM
Last enriched: 6/19/2025, 7:32:41 PM
Last updated: 8/14/2025, 11:37:03 PM
Views: 28
Related Threats
Malicious JavaScript Injects Fullscreen Iframe On a WordPress Website
MediumCoordinated Brute Force Campaign Targets Fortinet SSL VPN
MediumCastleLoader Analysis
MediumHow "helpful" AI assistants are accidentally destroying production systems - and what we're doing about it.
MediumNew Brute-Force Campaign Hits Fortinet SSL VPN in Coordinated Attack
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.