Russian state-sponsored hacking group APT29, also known as “Cozy Bear,” has launched a sophisticated phishing campaign that successfully bypassed Gmail’s two-factor authentication (2FA) by exploiting app-specific passwords. The attackers posed as U.S. State Department officials, targeting academics, think tank members, and individuals critical of the Kremlin.
The campaign, active from April to early June 2025, involved weeks-long social engineering tactics. Victims were tricked into believing they were engaging with legitimate U.S. government personnel. Once trust was established, they were convinced to create and share app passwords—an older Gmail feature that allows access to accounts without needing 2FA.
By using these app-specific passwords, APT29 gained persistent access to Gmail accounts, bypassing standard security protocols. Google and cybersecurity watchdog Citizen Lab have confirmed the details of the campaign and are actively working with affected parties to secure compromised accounts.
This attack highlights the continued evolution of state-sponsored cyber threats and the importance of user vigilance—even with advanced security features in place.
CheckDot is SAFU
