Chatham House analyst targeted in phishing attack

Chatham House expert Keir Giles has been targeted by a highly sophisticated spear phishing campaign, with suspected ties to Russian intelligence.

The cyber operation impersonated a senior official at the US State Department and attempted to extract sensitive credentials under the guise of a legitimate diplomatic consultation.

The incident, which took place in May 2025, was investigated by Google’s Threat Intelligence Group (GTIG) and Citizen Lab. It has been linked to a threat actor tracked as UNC6293, possibly associated with APT29—an espionage group believed to be backed by Russia’s Foreign Intelligence Service (SVR).

Giles received an email from an individual claiming to be ‘Claudie S. Weber’, a non-existent official at the US Department of State. The message invited him to a meeting to discuss ‘recent developments’, a type of request not uncommon in his line of work.

Although the attacker used a Gmail address, they copied several fake @state.gov email addresses to lend the communication authenticity. According to Citizen Lab, the US State Department’s email servers do not bounce invalid addresses, allowing this tactic to go unnoticed.

The tone of the message, coupled with evasive language, led investigators to suspect that the attackers may have employed a large language model to generate the email content.

While the first message contained no direct malware, a later email included a PDF instructing Giles to create an app-specific password (ASP) for accessing a supposed government platform. In reality, this would have handed full access of his Gmail account to the attackers.

Although Giles followed the instructions, he used a different Gmail account than the one targeted—likely limiting the damage. After ten further email exchanges, he shared details of the attempted attack publicly, warning that the stolen material could be altered and leaked as part of a disinformation campaign.

He noted that the attackers’ patient approach made the scam appear more plausible. Citizen Lab confirmed the threat actor’s ability to adapt based on Giles’ replies, avoiding pressure tactics and instead suggesting future collaboration.

Google ultimately blocked the offending Gmail account and secured the affected inbox. GTIG later disclosed a broader campaign, including another incident themed around Ukraine and Microsoft, beginning in April 2025.

In response, GTIG advised high-risk users to avoid app-specific passwords altogether, particularly when enrolled in the Advanced Protection Program (APP). Other recommendations included promptly revoking unused ASPs, monitoring account activity, and enabling advanced security measures.

The case underscores the evolving tactics of state-aligned cyber actors, who now combine social engineering with AI and deep reconnaissance to breach high-value targets.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!