A group of hackers linked to Russia’s foreign intelligence service has gained access to the Gmail accounts of Western experts, journalists, and researchers studying Kremlin propaganda and aggression against Ukraine. They forced the victims to independently create and submit passwords that bypassed the account protection.
A group of hackers linked to Russia’s foreign intelligence service has gained access to the Gmail accounts of Western experts, journalists, and researchers studying Kremlin propaganda and aggression against Ukraine. They forced the victims to independently create and submit passwords that bypassed the account protection.
According to BleepingComputer, the cyberattack was carried out by the UNC6293 group. Western cyberintelligence associates it with APT29 (also known as Cozy Bear or Nobelium), which operates under the control of Russian intelligence services. The attack was carried out between April and June 2025. The campaign had signs of being individually designed for specific individuals: the victims received complex, multi-stage phishing emails.
Western intelligence agencies have linked the APT29 group to large-scale cyberespionage campaigns, including the hacking of the US Democratic Party servers in 2016 and the attack on SolarWinds in 2020. They target government structures, think tanks, human rights organizations, and the media.
One confirmed example was the attack on Cyrus Giles, a British expert on Russian information operations. He received a letter purporting to be from a US State Department official, inviting him to a «private conversation.» The letter included a copy of several plausible work email addresses, adding credibility.
After several correspondences, the victim was sent a PDF with instructions on how to create an «app-specific password.» This is a special code that allows you to log in to Gmail through third-party services, bypassing two-factor authentication. The document stated that this password should be sent to «State Department administrators» to gain access to the platform.
Thus, the victims themselves effectively granted full access to their accounts. Once logged in, the hackers could read mail, view documents, contacts, and obtain all confidential information. In several cases, Gmail accounts were used to further distribute phishing emails to other targets.
According to estimates by experts from Citizen Lab and Google Threat Intelligence Group, at least several dozen accounts were compromised as a result of the attacks, including those of researchers, diplomats, journalists, analysts on Russia, the war in Ukraine, NATO, and international security. The exact number of victims is not disclosed, but the campaign lasted for several months and covered various regions of Europe and North America.
Cybercriminals used VPNs, VPS servers, and residential proxies to mask their location in the attacks. Among the IP addresses that participated in logging into the stolen accounts, IP 91.190.191[.]117 was recorded.
Google recommends that anyone working with sensitive information activate Advanced Protection. It blocks the use of third-party passwords and makes it much more difficult for unauthorized access, even in the event of a phishing attack.
Recall that we previously wrote about how researchers discovered a large-scale malware distribution campaign involving hackers affiliated with Russia and commercial advertising platforms.
