A recent report from Google’s Threat Analysis Group has revealed that Russia’s APT29 is suspected of exploiting zero-day vulnerabilities in Apple WebKit and Google Chrome in a series of sophisticated attacks that resemble spyware exploits. According to the report, these attacks took place between November 2023 and July 2024, targeting older versions of iOS and Android operating systems.
The campaigns, which researchers linked to the Russia-backed threat group APT29, also known as Cozy Bear and Nobelium, involved the use of exploits delivered through watering hole attacks on Mongolian government websites. Despite patches being available for the vulnerabilities used in the attacks, they were still effective against unpatched devices. Google suggested that the exploits could have originated from spyware vendors, referred to as commercial surveillance vendors.
The report detailed three iterations of the attack, with the first two occurring in November 2023 and February 2024. These attacks utilized a known Apple WebKit bug (CVE-2023-41993) and targeted iPhone users running older iOS versions. The exploits were delivered through poisoned iframes on Mongolian state websites and were designed to exfiltrate browser cookies from the devices.
In the July 2024 attack, the focus shifted to Android users via a Chrome exploit chain targeting credential theft. The poisoned iframe redirected Android users to a malicious site where a Chrome exploit chain was used to deploy a payload aimed at stealing information from the browser. These attacks highlighted the evolving tactics of threat actors in targeting multiple platforms for espionage purposes.
The report also drew attention to the involvement of spyware vendors in the exploitation of these vulnerabilities. It mentioned that NSO Group and Intellexa had previously exploited similar vulnerabilities as zero-days, raising concerns about the proliferation of exploits from the commercial surveillance industry to malicious threat actors. Despite the uncertainties around how APT29 acquired these exploits, the report emphasized the need for collaboration between security researchers and technology companies to combat such threats effectively.
Google informed Mongolian CERT about the compromised websites and alerted Apple, Android, and Google Chrome about the campaigns upon discovery. The company stressed the importance of timely notification to mitigate the impact of such attacks on users.
In response to inquiries, a Google spokesperson confirmed that APT29 was not believed to be the first to exploit the Chrome vulnerabilities mentioned in the report. Apple did not provide any comments on the matter when contacted by TechTarget Editorial.
Overall, the report shed light on the complex tactics used by threat actors to exploit vulnerabilities in popular software and platforms for espionage purposes. It underscored the ongoing challenges faced by cybersecurity researchers in identifying and mitigating such threats effectively. As the cybersecurity landscape continues to evolve, vigilance and collaboration remain crucial in defending against sophisticated cyber attacks.