Google’s Threat Analysis Group (TAG) has brought to light a new campaign orchestrated by Russian state-backed APT29, also known as Cozy Bear or Midnight Blizzard, displaying sophisticated spyware techniques closely resembling those employed by renowned spyware companies NSO Group and Intellexa.
The revelation by Google’s Threat Analysis Group (TAG) indicates that hackers linked to the Russian government and operating under the monikers of APT29 or Cozy Bear have been using strikingly similar exploits to those developed by commercial spyware entities Intellexa and NSO Group in a series of attacks on Mongolian government websites.
The attacks, carried out between November 2023 and July 2024, involved infiltrating the websites of cabinet.govmn and mfa.govmn to deliver malicious payloads concealed within iframes to unsuspecting visitors. Upon redirection to attacker-controlled websites, user data, including cookies, was extracted surreptitiously from iOS and Android devices.
Of particular concern is the resemblance between the exploits utilized by APT29 and those previously attributed to Intellexa and NSO Group. This resemblance hints at the possibility that APT29 obtained these exploits from the commercial spyware market.
NSO Group, an Israeli technology firm recognized for the development of spyware like the controversial Pegasus, which enables smartphone monitoring and data extraction, stands as a prominent player in the surveillance technology industry. Conversely, Intellexa, reportedly based in Greece, provides cyber intelligence and spyware solutions, including the notorious Predator spyware designed for iOS devices, aimed at governmental bodies and law enforcement agencies.
In response to these revelations, Google’s TAG emphasized the importance of recognizing the proliferation of exploits from the commercial surveillance industry to malicious actors, highlighting the potential dangers posed by these advanced technologies. The vulnerability exploited in the attacks had already been addressed through patches, yet the attackers utilized these vulnerabilities to target unpatched devices effectively.
The attack on iOS devices involved the deployment of an iOS WebKit exploit affecting iPhones running versions older than 16.6.1, enabling unauthorized access to browser cookies by the attackers. This exploit, reminiscent of one previously linked to Intellexa, targeted a specific vulnerability (CVE-2023-41993) to extract authentication cookies from various websites, including popular platforms like Gmail, LinkedIn, and Facebook.
Subsequently, the attackers pivoted to Android devices, leveraging a series of vulnerabilities in Google Chrome to access sensitive information such as login credentials, passwords, browsing history, and saved credit card details. By exploiting vulnerabilities (CVE-2024-5274 and CVE-2024-4671) to bypass Chrome’s sandbox, the attackers were able to compromise devices running Chrome versions m121 to m123.
Google has taken proactive steps to address the identified threats, including adding the compromised websites and domains to its Safe Browsing service, notifying relevant teams at Apple and Google Chrome about the vulnerabilities, and collaborating with the Mongolian CERT to rectify the security breaches on the affected websites.
The revelation of these sophisticated cyber espionage tactics underscores the growing intersection between state-sponsored threat actors and the commercial surveillance industry, raising concerns about the misuse of advanced spyware technologies for malicious purposes. As cyber threats continue to evolve, it is imperative for cybersecurity professionals and technology companies to remain vigilant and proactive in addressing emerging challenges posed by such threats.