The Russian state-sponsored hacking group APT29 (also known as Cozy Bear) has developed a concerning new capability: bypassing two-factor authentication (2FA) on Gmail accounts through purely social engineering methods, eliminating the need for malware deployment in credential harvesting operations.
According to cybersecurity researchers tracking the group's activities, APT29 has been conducting targeted campaigns against international critics of Russian policies and academic researchers studying Eastern European affairs. The attacks follow a multi-stage playbook that represents a significant evolution in credential theft techniques.
The attack methodology begins with extensive reconnaissance to identify high-value targets. Operators then initiate what appears to be legitimate professional communication, often posing as journalists, fellow researchers, or conference organizers. These interactions are designed to build trust over weeks or months using tailored social engineering tactics.
Once rapport is established, attackers guide targets through a carefully crafted process to obtain app-specific passwords (ASPs) - a feature Google provides to allow legacy applications to access Gmail accounts without 2FA prompts. By convincing targets to generate or reveal these ASPs, the attackers gain persistent access that bypasses all 2FA protections.
This technique is particularly concerning because:
- It leaves no malware footprint for detection systems
- It exploits legitimate account features rather than vulnerabilities
- The access persists even after password resets (until ASPs are revoked)
- It bypasses hardware security keys and other strong 2FA methods
Security teams should note that this attack vector specifically targets:
- Google Workspace accounts with 2FA enabled
- Users who have generated app-specific passwords
- Organizations with limited monitoring of ASP usage
Mitigation recommendations include:
- Disabling app-specific passwords where possible
- Implementing session duration limits
- Monitoring for unusual ASP usage patterns
- Conducting targeted security awareness training about this specific threat
The emergence of this technique demonstrates how advanced threat actors are adapting their tradecraft to circumvent modern security controls. As organizations increasingly adopt 2FA, attackers are finding creative ways to bypass these protections through human manipulation rather than technical exploits.
Comentarios 0
Comentando como:
¡Únete a la conversación!
Sé el primero en compartir tu opinión sobre este artículo.
¡Inicia la conversación!
Sé el primero en comentar este artículo.