Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
John Scott-Railton Profile picture
@jsrailton
Jun 18, 2025 10 tweets 6 min read Read on X
Scrolly
🚨NEW REPORT: exposing a new hacking tactic.

🇷🇺Russian state-backed hackers used an App-Specific Password attack against prominent Russia expert @KeirGiles & others.

It's like they know what we all expect from them...and then did the opposite 1/

By us @citizenlab & @google's GTIGImage
Image
Image
2/ Let's begin: @KeirGiles gets a message purporting to be from @StateDept asking for a consultation.

The attackers send the message from a @gmail, but CC'd a bunch of email addresses @ state.gov.

Strong credibility signal to have a bunch of gov ppl on the CC line right?

Well, what the attackers were counting on is that the State Dept mailserver just accepts all email addresses without emitting a bounce.

So they seem to have just created some fake State Dept staff names and addresses.Image
3/ The attackers wait for the 2nd interaction to introduce the pivotal deception: getting @KeirGiles to 'connect to a secure platform.'

In the next days they patiently walk him through what they want him to do, even sending a very official looking (but fake) State Dept. documentImage
Image
4/ The attack works like this: the attackers try to deceive @keirgiles into creating and sharing an App-Specific Password (ASP) with them.

They do this by reframing ASPs as something that will let him access a secure resource (spoiler: not how this works)

What's an ASP? Well, not every app that users want to use supports Multi-Factor Authentication.

Some older email clients for example don't. So providers like @Google let users create a special password just for those apps.Image
Image
5/ This attack was like slow food. 10 email exchanges over several weeks! Very much not your run-of-the-mill phishing.

Ultimately, @KeirGiles realized something was wrong and got in touch with us @citizenlab, but not before the attackers got access
@KeirGiles @citizenlab 6/ Takeaway for us: some sophisticated threat actors are feeling pressure & innovating.

Trying to move away from smash & grab phishing for passwords (& maybe your 2nd factor code)... and going for something more subtle, slower perhaps less detectable.

citizenlab.ca/2025/06/russia…
7/ Who targeted @KeirGiles? Folks at @google Threat Intelligence Group (GTIG) have analysis & attribution! Great!

🇷🇺#UNC6293, a Russia state-sponsored threat actor w/additional low confidence association to #APT29 (that would be the Russian #SVR)

By @gabby_roncone & @wxs
cloud.google.com/blog/topics/th…Image
8/ There were so many clever bits to this attack, it's easy to imagine a lot of people falling for it.

Everything was clean. The doc looked real. The language was right. Email addresses at the State Dept. seemed to be CC'd.. I could go on.

They even had Keir enter "ms.state. gov" into the ASP name...

(this doesn't do anything but further the deception that he's adding an external app to his Gmail, that name field accepts any text you want to put in there)Image
@KeirGiles @citizenlab @Google @gabby_roncone @wxs 9/ Targeting App-Specific Passwords is novel.

But it's just part of a trend of state-backed attackers innovating & moving beyond simple phishing.

The folks @volexity have been doing great work on this theme.

Recommended Reads: volexity.com/blog/2025/02/1…
volexity.com/blog/2025/04/2…
10/ Coda: Every @citizenlab report is a team production. Especially when they come together fast.

Big props to my coauthors @PDXbek & @billmarczak and the many colleagues & coworkers that jumped in here to help out and get this report done!

Plus special thanks to @KeirGiles for so graciously working with us to understand & get his case shared.Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with John Scott-Railton

John Scott-Railton Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jsrailton

John Scott-Railton Profile picture
May 7
It is hard to denounce China's Great Firewall when European politicians are preparing to demand the same thing.

It always starts with a call to protect children.

But it ends with adults needing permission to share their political views.

Embarrassingly short sighted.
2/ Parents want to protect their children, but once you build & implement bones of a system like this, with government developed 'verification' apps you've loaded the gun & pointed it at free expression.

You also suppress innovation.
3/ The funny thing? Every dictatorial regime has struggled to fight VPNs..

So what happens? You wind up with motivated & well-resourced people circumventing your controls...

And a society where everyone simultaneously feels less private & like they should be self-censoring.
Read 5 tweets
John Scott-Railton Profile picture
May 2
PAY ATTENTION: China just figured out a global veto on who gets to speak.

#RightsCon is a massive tech & rights conference.

Thousands attend from everywhere.

It was scheduled for next week in #Zambia with their gov's full cooperation.

Then, 🇨🇳#China made a call. 1/Image
2/ Last Monday, the #Zambian endorsed #RightsCon. Again.

Then, pressure from #China came down hard.

Almost immediately, things went sideways.

Starting at the border...

rightscon.org/rc26-statement/Image
Image
3/ People were already flying in from all over the globe to #Zambia... thousands were to follow.

Suddenly the tone at customs changed.

Customs officials were telling exhausted & puzzled attendees that their conference was cancelled.

Meanwhile? Official silence.

Weird, right?Image
Read 8 tweets
John Scott-Railton Profile picture
Apr 9
BREAKING: You checked the weather this morning.

And you just told a surveillance company where you sleep.

Meet #Webloc, used by ICE, cops & foreign govs to track 500m+ phones.

No warrant required.

Our latest @citizenlab investigation + how to protect yourself 🧵/1Image
Image
2/ Heard of ADINT aka ADvertising INTelligence?

Your apps don't just show ads.

They stream of info about your GPS location + a unique identifier to HUNDREDS OF BROKERS EVERY SECOND.

The industry swears the data is "anonymous" but it's actually a Spies-eye-view. Of everyone.Image
3/ Companies peddle the BS that advertising data is 'anonymous'

They want to keep you in the dark.

Because, behind the scenes...your weather app is a blinking tracking beacon.

And then players like @penlink turn that beacon into a data flow.

And sell it to governments.
Read 15 tweets
John Scott-Railton Profile picture
Mar 19
NEW: French sailor reveals position of aircraft carrier with his fitness app.

Run tracking app @Strava shows Charles de Gaulle as it steams across the Med.

#stravaleaks strike..again!

Story by @lemonde. 1/ Image
Image
2/ The massive OPSEC threat posted by fitness apps isn't just well known. It keeps happening.

I first wrote about it in...2018!

Hostile forces can use #Fitleaking for intel gathering, planning attacks...even targeting missile strikes.

Receipts: web.archive.org/web/2022081919…Image
Image
Image
Image
3/ Poor Arthur. But this is an institutional signal that, ~8 years in, militaries are still allowing enough location-aware devices in that it's a big threat.

Incidentally, the @lemondefr team has now been on the #stravaleaks issue for 3 years! I

It just keeps happening.

By @AsiaBalluff @seb_bourdon @liselottemas @antoineschirer
lemonde.fr/international/…Image
Image
Read 7 tweets
John Scott-Railton Profile picture
Mar 11
UPDATE: @Plaid for AI happened faster than I warned.

We are in a historic transformation around AI agents.

Disruption will extend to the core of your privacy.

Companies know the appeal of agentic AI & are working to lock consumers into ecosystems designed to maximize data extraction.

It's not too late, but it might be soon.

But the thing about transformative moments is that new possibilities often open simultaneously with the risks.

We need to build, experiment with & use good private + open AI tools, local models that respect privacy by default & confidential inference that prevents companies from mining the data they process.

Do that & give us a fighting chance for future that respects our freedom, and our boundaries.

Sleep on the challenge of building openly & we relinquish the playing field to the same companies and dynamics that already degrade our autonomy...only faster & everywhere.Image
2/ What's the deal with @Plaid?

I find people are dimly aware about something involving connecting banking accounts.

I bet you don't know that Plaid helps themselves to mountains of your financial data in exchange for the convenience.Image
3/ Basically, by providing 'rails' @Plaid has managed to get an absolutely gods-eye-view on peoples financial behavior.

In real time.

That data is available to other companies. And governments.

You are the product.Image
Read 5 tweets
John Scott-Railton Profile picture
Mar 10
BREAKING: powerful iPhone hacking tools used by Chinese criminals originated from US defense giant L3 Harris.

The $LHX zero-click exploits went to Russian spies too.

Unbelievable harm to our collective security.

Scoop by @lorenzofb, here's why this matters 1/Image
Image
2/ Last week, the team @google blew open a massive hacking operation: #Coruna.

A Chinese hacking operation somehow had a huge catalogue of very, very good iPhone exploits stealing banking information from people all over the web.

Hard to overstate how bizarre this was...Image
Image
3/ Thing is, the powerful #Coruna exploits didn't originate with Chinese cybercriminals.

Some months before they were used by #Russian government hackers.

But before that? Well, as @Google Threat Intel described it, it was being used by a customer of a surveillance company...

Report cloud.google.com/blog/topics/th…Image
Image
Read 16 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(