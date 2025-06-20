Keir Giles, a British expert on Russian information operations, has been targeted by a sophisticated spear phishing attack using novel social engineering techniques. The writer and senior consulting fellow at the UK think tank Chatham House was lured into sending app-specific passwords to someone impersonating a US State Department employee. The Google Threat Intelligence Group (GTIG) investigated the case in collaboration with the Citizen Lab. The tech giant attributed the campaign to a threat actor tracked as UNC6293 and assessed “with low confidence” that cluster is associated with APT29, a cyber espionage group linked to Russia’s Foreign Intelligence Service (SVR). Email From a Fake US State Department Official On May 22, 2025, Giles received an email from someone posing as ‘Claudie S. Weber’ who purported to be a senior program advisor at the US Department of State (DoS). In the email, ‘Claudie S. Weber’ invited Giles for a meeting to discuss “certain recent developments” with the sender and their colleagues.

The first outreach offering a highly plausible scenario of a consultation. Source: The Citizen Lab

Such an invitation is “something that would be common for him to receive,” said the Citizen Lab in its report, published on June 18. However, the researchers stated that they were unable to find any ‘Claudie S. Weber’ in the US State Department registries or elsewhere. While the attacker used a Gmail account for the entire interaction (claudie.s.weber[at]gmail.com), they cc’d four other email addresses ending with @state.gov, including ‘WeberCS[at]state.gov,’ as a way of making the email exchange look more credible. “We believe that the attacker is aware that the State Department’s email server is apparently configured to accept all messages and does not emit a ‘bounce’ response even when the address does not exist,” said the Citizen Lab researchers. They also assessed that the generic tone and evasiveness of the email sender could suggest that the attacker used a large language model (LLM) to craft the message. Leveraging App-Specific Passwords Although the initial email did not contain any malicious content, a subsequent email included a PDF file with instructions to register for an “MS DoS Guest Tenant” account.

The fake “MS DoS” PDF was crafted to feature numerous visual elements reminiscent of a legitimate State Department document. Source: The Citizen Lab