Recently, multiple exploit campaigns have been linked to a Russian-backed threat actor known as APT29, Cozy Bear, and Midnight Blizzard. These campaigns have been discovered delivering n-day mobile exploits that were previously used by commercial spyware vendors, raising concerns about the security and privacy of users.
According to Google’s Threat Analysis Group (TAG), these exploit campaigns were launched through a watering hole attack on Mongolian government websites. The exploits used in these campaigns are identical to those previously utilized by commercial surveillance vendors Intellexa and NSO Group, indicating a potential connection between the threat actor and these vendors.
The threat actors infected two websites belonging to Mongolia’s Cabinet and Ministry of Foreign Affairs, cabinet.gov[.]mn and mfa.gov[.]mn, in the watering-hole attacks. By injecting malicious code to exploit known vulnerabilities in iOS and Chrome on Android, the attackers aimed to hijack the devices of visitors to these websites.
These campaigns have emerged on three separate occasions, with the most recent one occurring just a month ago. Two of the campaigns delivered an iOS exploit through a vulnerability known as CVE-2023-41993, which had been recently patched but not before being exploited by Intellexa and NSO Group.
The researchers at Google TAG emphasized that they do not know how the attackers acquired these exploits, but it is clear that APT actors are leveraging n-day exploits that were originally used as 0-days by commercial surveillance vendors. Despite similarities in exploit usage, the recent watering hole campaigns differed in their delivery methods and second-stage objectives.
Although there are still unanswered questions about the source of these exploits, this incident underscores the growing threat posed by exploits developed by the commercial surveillance industry. As threat actors continue to utilize these exploits, it becomes increasingly challenging to defend against sophisticated cyber threats.
In conclusion, the discovery of exploit campaigns linked to a Russian-backed threat actor highlights the evolving landscape of cyber threats and the need for robust cybersecurity measures to protect against such attacks. It also raises questions about the relationship between threat actors and commercial surveillance vendors, emphasizing the importance of collaboration between security researchers, vendors, and government agencies to address these complex cybersecurity challenges.