What's in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia

Description

A Russia state-sponsored cyber threat actor impersonated the U.S. Department of State to target prominent academics and critics of Russia. The attackers used extensive rapport building and tailored lures to convince targets to set up application specific passwords (ASPs). Once obtained, these ASPs allowed persistent access to victims' mailboxes. Two distinct campaigns were observed, both using residential proxies and VPS servers for access. The attackers sent phishing emails disguised as meeting invitations, including spoofed Department of State email addresses to increase legitimacy. Victims were directed to create ASPs with specific names, which the attackers then used to access their email accounts. This activity is tracked as UNC6293 and is assessed with low confidence to be associated with APT29 / ICECAP.