Google has identified evidence suggesting that Russian government hackers are using exploits that are “identical or strikingly similar” to those previously developed by spyware companies Intellexa and NSO Group. These findings raise concerns about how such exploits can end up in the hands of dangerous cyber actors.
Russian Exploit Use by APT29
The exploits were reportedly used by APT29, a group of hackers associated with Russia’s Foreign Intelligence Service (SVR). APT29 is known for its sophisticated espionage and data theft campaigns against various targets, including tech companies like Microsoft and SolarWinds, as well as foreign governments.
Watering Hole Attack on Mongolian Government Websites
Google discovered the exploit code embedded on Mongolian government websites from November 2023 to July 2024. This “watering hole” attack could have compromised visitors’ devices, including iPhones. Android phones, and stolen sensitive data such as passwords. The exploits targeted vulnerabilities in Safari on iPhones and Google Chrome on Android, both of which had been patched before the Russian campaign but could still affect unpatched devices.
Russian Specifics of the Exploit
The exploit aimed at iPhones was designed to steal user account cookies stored in Safari, particularly from email providers hosting accounts of the Mongolian government. For Android devices, two separate exploits were combined to steal cookies stored in the Chrome browser. These stolen cookies could potentially allow attackers to access targeted government accounts.
Uncertainty About the Target
While the exact targets remain unclear, Google believes that Mongolian government employees were likely targeted based on the sites hosting the exploit and their typical visitors. This assumption is supported by the history of similar cookie-stealing tactics used by APT29 in earlier campaigns.
Questions About the Source of the Exploit Code
A major question is how the Russian hackers obtained the exploit code. Google suggests several possibilities, including purchasing the exploit after it was patched or stealing it from another customer. The code’s similarity to those developed by Intellexa and NSO Group strongly suggests a common origin.
Russian Responses and Recommendations
NSO Group, in a statement after the article’s publication, denied selling products to Russia, emphasizing that their technologies are only sold to vetted U.S. and Israel-allied intelligence and law enforcement agencies. Google recommends that users keep their software up-to-date and apply patches quickly to mitigate the risk of similar cyberattacks. Users with Apple’s high-security Lockdown Mode enabled were reportedly unaffected by the exploit, even if their software was vulnerable.
Conclusion
The discovery highlights the risks associated with exploit development. There is potential for state-backed hackers to use these tools for malicious purposes.
