Claudie Weber is a senior program advisor at the U.S. State Department. She got in touch with me by email in May, looking to discuss “recent developments” and copying several of her departmental colleagues. That’s not unusual for people in my line of work. What was slightly less common was that “Claudie” didn’t exist, and neither did any of her colleagues with State Department addresses. The approach was part of a careful plan to break into my Gmail account. And it seems to have succeeded.
For professional Russia watchers such as myself, being the subject of unwanted online attention comes with the job. Crude attempts at hacking and phishing are more or less constant, and every now and then we encounter something genuinely novel or clever. Back in 2019, I blew the whistle on an online deception campaign using LinkedIn that was the first documented instance of a deepfake-generated face being used as part of such an operation. A couple of years later, a well-constructed phishing attempt had me half a second away from clicking on a deceptive link that appeared to be an appointment reminder from my actual, real, optician.
But Claudie’s efforts were different again. The operators behind the name carefully, painstakingly brought together a number of different pillars of plausibility, and unlike on previous occasions, they didn’t put a foot wrong. For instance, they plainly knew that the first thing I would do was write back to her “colleagues” at their state.gov addresses to see if they existed—but they also knew, which I didn’t, that the U.S. State Department’s email server accepts all incoming messages and won’t show you an error if you write to nonexistent people.
What followed was a slow, patient, and ultimately successful process of coaching me into opening up a backdoor to all of my emails.
The hacking of my email account has been described in detail by the University of Toronto’s Citizen Lab, an organization dedicated to protecting civil society against state campaigns of this kind, and you can read some of the email traffic with “Claudie” in their report. Google’s Threat Intelligence Group has also reported on the operation and linked it to others that they tentatively associate with the Russian Foreign Intelligence Service.
The attack used a feature in Gmail and other apps called an application-specific password, or ASP. That’s a means of creating a special password so that you can still use older or less secure apps that don’t support modern security protocols.
And that’s where the problem lies: ASPs are a widely available means of bypassing all of the security precautions that we are all told so insistently to make sure are in place, such as getting verification codes sent to our phones. The feature is supported by Microsoft, Apple, Google, and other platforms as a seemingly routine technical workaround when other security systems don’t work, with little to no user-friendly warnings about how dangerous a tool such as this can be.
Importantly, the hack didn’t exploit some technical vulnerability in the software. As Google has pointed out, there “wasn’t a flaw in Gmail itself”; instead, “the attackers abused legitimate functionality.” That is correct: The ASP setup worked exactly as intended. The attack worked by convincing me to set up a route into my account that is built in by design, rather than by outwitting the security and breaking in. In the most literal sense, this backdoor to our email accounts is not a bug but a feature.
But there’s a problem with that. The fact that there is a widely available option to bypass today’s security precautions and throw your account wide open was an unexpected discovery not just for me, but also for anybody I’ve spoken to who isn’t deep in the cybersecurity business.
So for Google to say that “there is no vulnerability connected to Google’s application-specific passwords” is, again, technically correct but potentially very misleading in terms of how easily ASPs can be exploited—as demonstrated by my case and by however many others there might be by now. (I seem to be the first person who has gone public about being targeted in this way, but I’m sure I won’t be the last.)
As Google has also pointed out, users get a notification email when they create one of these passwords. But that’s of limited use when you already know that you set one up, whether or not you were deceived into doing so.
Because everything worked as intended, there was no way that I could see that anything was wrong. To Google’s credit, it was its security systems that eventually noted that something was amiss and caused my account to be frozen. After recovering my account, I found a notification buried deep in the security settings about a login from a suspicious address—dated eight days before Google locked my account with no warning.
The way that the platforms have tightened digital security while retaining the option of using ASPs to connect is like investing in heavy new locks for your front door but leaving the side door wide open for people who don’t have the keys. Because it involved a clever new attack that could affect almost anyone, my case has created quite a bit of attention in media specializing in cybersecurity. Organizations other than Google have naturally been readier to recognize the security problem. As Sophos, another cybersecurity company, politely noted in a warning to customers on June 18: “The potential impact of creating an app password and providing it to a third party is not made clear in the creation process.”
In other words, what would really have helped was a warning during the process of setting up ASPs of exactly what they are and what they do, which would have alerted me to what was going on. Google has correctly pointed out that there is a warning along those lines in their help files. But that doesn’t help if you don’t go to those help files—because, as in my case, your attacker has kindly provided an authentic-looking manual of their own to walk you through the process.
The real heroes of this story are at the Citizen Lab—in particular, the privacy and security guru John Scott-Railton. It was John, together with Reuters journalists Raphael Satter and James Pearson, who helped me piece together what had happened when all I could see was that Google had frozen my accounts (and in one case, telling me that this was because of “policy violations”). And it was they who used their professional contacts at Google to try to help me regain control.
The Citizen Lab calls itself an “interdisciplinary laboratory” focused on research in information technology and human rights. But their investigations of digital espionage against civil society—and their efforts to protect citizens’ privacy and other rights against corporations and state agencies—are invaluable for people like me who point the finger at evildoers such as the Russian state but don’t have the support of powerful governments or institutions behind them.
Several people have asked me if I’m concerned about what the attackers will do with messages that they copied from my account. One expected next step is that whatever emails were stolen from the account will be used in a hack-forge-dump attack, where the hackers pass them to Russia’s Western proxies or sympathizers to release as a “leak” intended to discredit Moscow’s adversaries.
Back in 2023, when Scottish parliamentarian and Russia critic Stewart McDonald was similarly targeted, it took less than 48 hours after his announcement that he had been hacked by Russia for British activist Craig Murray to boast that he had obtained McDonald’s emails.
The so-called leak is usually a mixture of genuine messages and files, some that have been altered, and others that are simply invented—plus, often, malware and viruses to infect anybody curious enough to download them. The aim could be to paint me and the institutions I work with as charlatans, neo-Nazis, spies, philanderers, abusers of substances or puppies, or all of the above. But it means that there’s little point in being concerned about anything potentially embarrassing in my emails—if the hackers don’t find what they’re hoping for, then they will make it up anyway.
For now, Russia’s trolls and mouthpieces on social media are already busy with their version of who I am and what happened. There’s a consistent pattern where it takes 24 hours after something happens for their storylines to go out for dissemination—and after that, the same lines are repeated almost word for word across different media and different languages. Some real-life characters in the Russia business have also been crowing with delight at the “hilarious” hack. But that’s not much different from the background noise of lies and abuse that someone in my line of work takes for granted.
What’s far more significant in this case is how many other people around the world could be exposed to the same security risk and know nothing about it. Now that the power of this tool has been demonstrated, cyber researchers are expecting it to be used far more widely. That means that it could be abused not just against people who have made enemies in Russia, such as myself, but also ordinary users who might not consider themselves at risk. And that could be for cybercrime, low-grade snooping, or just settling scores.
In my case, the attackers put an extraordinary amount of time, effort, and patience into building the con. For whatever reason, they decided I was worth it—or maybe they were just frustrated after so many previous failed efforts over so many years.
But anyone who is not as automatically cautious as me—perhaps because they’re not in a line of work that sees them routinely targeted—could be taken in by a far less sophisticated deception campaign. We probably all have friends and relatives, especially older ones, who have been taken in by scams that, in hindsight, seemed blatantly obvious.
If they know how, then readers should check whether this kind of password has been set up on their accounts. If they are concerned, there are options such as Google’s Advanced Protection Program, which blocks this method of attack and some others. But in any case, Google and other companies should make sure that the risk of this account feature is more widely understood by ordinary users.
When attacks do succeed, it’s also important that more people speak up about them. It’s understandable that individuals who are duped in this way are sometimes reluctant to come forward and share the details. Anybody less thick-skinned than me might be embarrassed—and feel a little foolish at having been outwitted. But it’s essential to share as much as possible. Our collective security is worth so much more than one person’s individual embarrassment.
The post I Was Hacked Because I Work on Russia appeared first on Foreign Policy.
