How Russian Hackers Bypassed Gmail 2FA Using App Passwords – APT29’s Targeted Email Attack Explained

What Happened?

Between April and June 2025, a Russian-linked hacking group known as APT29 (also called Cozy Bear or Midnight Blizzard) used a clever trick to bypass Gmail's two-factor authentication (2FA). They did this by convincing victims—usually high-profile critics of Russia or academics—to create Google App Passwords, giving hackers permanent access to email accounts.

This wasn’t a fast attack. Instead, it involved slow, carefully crafted social engineering to earn trust, manipulate victims, and quietly steal access—all while avoiding detection.

 Background: Who Is APT29?

APT29 is a Russian state-sponsored Advanced Persistent Threat group, believed to be linked to the Russian Foreign Intelligence Service (SVR). They've been behind many cyber-espionage operations including attacks on the US government, NATO, and research institutions. Their tactics involve stealth, persistence, and clever use of social engineering.

 How the Attack Worked: Step-by-Step

 What Are App Passwords?

Google App Passwords are 16-character codes that let apps or devices access a Google account without needing a 2FA code. They’re usually meant for older applications that can’t support modern security features.

APT29 used this loophole by convincing users to generate and share this code, which completely bypassed two-factor authentication.

What Made This Attack So Effective?

• No urgency or threats – unlike typical phishing.

• Realistic email headers – four fake but believable "@state.gov" addresses in CC.

• PDF instructions – guiding victims step-by-step to create the app password.

  
  

• Fake secure environment – tricked users into thinking they were joining an official Department of State system.

• Persistent Access – once in, attackers could keep reading emails without raising alarms.

 What Is Device Join Phishing?

APT29 is also using Device Join Phishing, a newer trick. Here's how it works:

• The hacker sends a meeting invite with a legitimate Microsoft link.

• The user clicks and unknowingly gives the attacker a valid OAuth device code.

• The attacker uses it to register a new device with the victim’s account.

• Boom—persistent access granted, again bypassing traditional security.

 Expert Insights

• Citizen Lab confirmed that State Department servers don’t reject non-existent emails, making fakes harder to detect.

• Google’s Threat Intelligence Group calls this campaign “one of the most personalized phishing efforts ever seen.”

• Microsoft and Google have both issued alerts about rising abuse of OAuth and app-based permissions.

 How to Protect Yourself

✅ 1. Don’t share app passwords

Never generate or share app passwords unless you fully trust the application and source.

✅ 2. Monitor account activity

Check for unknown devices or logins via Google’s security settings.

✅ 3. Use app password alerts

Enable account alerts for new logins or app password usage.

✅ 4. Avoid PDF-based instructions

If a stranger sends PDF steps asking you to change your account settings—be cautious.

✅ 5. Review third-party apps

Visit your Google/Microsoft security dashboard to review permissions granted to apps.

 Real-World Impact

This campaign was not random spam—it was targeted espionage. The victims were selected carefully, and the operation involved:

• 500 GitHub repositories

• Thousands of Pastebin views

• Access to Gmail, Discord, Telegram, VPNs, and crypto wallets

APT29 adapted to avoid detection, using VPNs and residential proxies to log in without triggering alerts.

Conclusion

The Russian group APT29 used app passwords and advanced social engineering to bypass Gmail 2FA and gain access to high-value email accounts. The attack was subtle, professional, and persistent—showing that traditional security is no longer enough. It's a clear reminder that even “secure” systems can be bypassed when trust is manipulated.

FAQs 

What is APT29?

APT29, also known as Cozy Bear or Midnight Blizzard, is a Russian state-sponsored hacker group involved in cyber-espionage campaigns.

How did APT29 bypass Gmail's 2FA?

They convinced users to generate Google App Passwords, which bypass standard 2FA protections when used in third-party email clients.

What are App Passwords in Gmail?

App Passwords are 16-character codes that let less secure apps access a Gmail account without triggering 2FA.

Why are App Passwords risky?

Once generated, they provide full access to email without needing the main password or 2FA, making them vulnerable if misused.

What is 2FA?

2FA stands for Two-Factor Authentication, a security measure that requires both a password and a second verification step.

Who were the victims of this attack?

Prominent academics, government critics, and individuals connected to U.S. and Ukrainian affairs were targeted.

How did attackers contact victims?

They used spoofed email addresses pretending to be from the U.S. State Department.

What is UNC6293?

UNC6293 is the code name used by Google’s Threat Intelligence Group to identify this specific threat campaign.

How does social engineering play into this?

The attackers slowly built trust over emails before tricking users into generating app passwords.

What is a phishing campaign?

Phishing is a fraudulent attempt to obtain sensitive information by pretending to be a trustworthy source.

Why didn’t Gmail stop these logins?

Because app passwords bypass the need for Gmail’s 2FA and don’t trigger the same security warnings.

What other services were targeted?

Besides Gmail, the attackers also tried to access Discord, Telegram, and possibly Microsoft 365.

What is device join phishing?

It’s a phishing technique that tricks users into authorizing a new device via OAuth, granting attackers access.

Is this attack still active?

Google reports the campaign was active from April to June 2025 but may continue in modified forms.

How did the attackers avoid detection?

They used VPNs and residential proxies to log in from common IP ranges, avoiding geolocation alerts.

What is Google Threat Intelligence Group (GTIG)?

GTIG is a cybersecurity division within Google that investigates and reports on advanced cyber threats.

What should I do if I think I was targeted?

Check your Gmail account activity, remove app passwords, and review third-party access permissions immediately.

Can antivirus software stop this attack?

No. This attack relies on social engineering, not malware, so antivirus tools often miss it.

What is the safest way to use 2FA?

Use a hardware key or Google Authenticator instead of relying on SMS or app passwords.

How do attackers make emails look legit?

They spoof sender addresses and use fake email chains to appear as internal government communication.

What did the PDF attachment do?

The PDF guided victims step-by-step to generate and share their app password.

Can I disable App Passwords in Gmail?

Yes, by turning off "Less secure app access" or removing existing app passwords from your Google Account settings.

Why did Google allow this feature to exist?

App passwords were created to help older apps that don’t support modern login flows access Gmail.

Are there other known campaigns using this method?

Yes, Microsoft has also reported similar OAuth-based phishing attempts by Russian threat actors.

How does OAuth phishing work?

It tricks victims into giving permission to third-party apps that attackers control.

What is Cozy Bear known for?

Cozy Bear has been linked to numerous high-profile hacks including those of U.S. federal agencies.

How long did APT29 monitor targets?

They reportedly maintained access to inboxes over several weeks once app passwords were set up.

Are government institutions vulnerable to these attacks?

Yes, especially if individual employees fall victim to phishing or misuse authentication tools.

What security measures can prevent these attacks?

Use modern apps that support OAuth, monitor account activity, and train users to recognize phishing.

What role does Microsoft play in this case?

Microsoft identified a parallel phishing campaign targeting Microsoft 365 accounts using OAuth exploits.

Can this affect personal Gmail users too?

Yes, if users fall for similar phishing emails or share their app passwords with attackers.