This threat campaign, tracked as UNC6293 and attributed with low confidence to the Russian state-sponsored group APT29 (also known as ICECAP), involves a sophisticated phishing operation targeting prominent academics and critics of Russia. The attackers impersonate the U.S. Department of State by sending highly tailored phishing emails disguised as meeting invitations, leveraging spoofed Department of State email addresses to enhance credibility. The core technique involves convincing victims to create Application Specific Passwords (ASPs) with attacker-specified names. ASPs are typically used to allow third-party applications or devices to access email accounts without requiring the primary account password. By obtaining these ASPs, the attackers gain persistent, stealthy access to victims' mailboxes without triggering typical login alerts or requiring repeated authentication. The campaign utilized residential proxies and VPS servers to mask attacker infrastructure and maintain access. Two distinct campaigns were observed, indicating a sustained and adaptive effort. The attackers employed extensive rapport-building and social engineering to increase the likelihood of victims complying with the ASP creation request. This method bypasses many traditional phishing defenses that focus on credential harvesting or malware delivery. The campaign is notable for its creative use of ASPs as a persistence mechanism, which is less commonly seen in phishing attacks. Indicators include a specific IP address (91.190.191.117) and a hash value linked to the campaign. The attack techniques correspond to multiple MITRE ATT&CK tactics and techniques such as T1114 (Email Collection), T1566 (Phishing), T1078 (Valid Accounts), and others related to credential access and persistence. No known exploits or CVEs are associated with this campaign, and it does not rely on software vulnerabilities but rather on social engineering and abuse of legitimate authentication features. The campaign was publicly disclosed in June 2025, with detailed analysis available from Google Cloud Threat Intelligence. Overall, this represents a targeted, state-sponsored espionage effort leveraging creative phishing and authentication abuse to compromise high-value individuals' email accounts.

For European organizations, especially academic institutions, think tanks, human rights organizations, and government bodies, this campaign poses a significant espionage risk. The targeted individuals—academics and critics of Russia—are often based in or collaborate with European entities, making these organizations potential indirect victims or secondary targets. Compromise of email accounts via ASP abuse enables attackers to maintain long-term, stealthy access to sensitive communications, intellectual property, and strategic discussions. This can lead to unauthorized data exfiltration, manipulation of communications, and potential reputational damage. The persistent access granted by ASPs circumvents many standard detection mechanisms, increasing the risk of prolonged undetected espionage. Additionally, the use of spoofed U.S. Department of State emails may cause confusion and mistrust in official communications, potentially disrupting diplomatic or academic collaborations. The campaign’s focus on tailored social engineering means that European organizations with prominent Russia-related research or policy roles are at elevated risk. While the campaign does not directly target European infrastructure or systems, the human targets within Europe are critical nodes in the information ecosystem, and their compromise could have cascading effects on European policy, research integrity, and security.

1. Implement strict monitoring and auditing of Application Specific Passwords (ASPs) usage within organizational email systems, including alerts for newly created ASPs and unusual naming conventions. 2. Educate high-risk personnel, especially academics and policy experts, about the specific phishing tactics used in this campaign, emphasizing skepticism of unsolicited meeting invitations and requests to create ASPs. 3. Enforce multi-factor authentication (MFA) methods that do not rely solely on ASPs, or restrict the use of ASPs where possible, favoring modern OAuth tokens or app-based authentication. 4. Deploy advanced email security solutions that can detect and block spoofed emails, including DMARC, DKIM, and SPF enforcement, combined with anomaly detection for sender behavior. 5. Conduct regular threat hunting focused on detecting persistent access via ASPs, including reviewing mailbox access logs for unusual IP addresses or proxy usage. 6. Collaborate with national cybersecurity centers and intelligence-sharing platforms to receive timely indicators of compromise related to UNC6293 and APT29. 7. Encourage the use of secure communication platforms for sensitive discussions, reducing reliance on email accounts vulnerable to such phishing. 8. Implement endpoint detection and response (EDR) tools that can identify lateral movement or data exfiltration attempts following mailbox compromise. These measures go beyond generic advice by focusing on the unique ASP abuse vector and the social engineering nuances of this campaign.