Google has recently uncovered concerning evidence that Russian government hackers are utilizing spyware exploits that are closely linked to those developed by well-known spyware creators: Intellexa and NSO Group. This revelation was made public in a blog post by Google on August 29, highlighting the increasing threat posed by state-sponsored cyberattacks.
Russian Hackers Exploiting Spyware
Google’s Threat Analysis Group (TAG) identified that the Russian cyber espionage group known as APT29 is deploying exploits that are either identical or remarkably similar to those created by Intellexa and NSO Group. APT29, commonly associated with Russia’s Foreign Intelligence Service (SVR), is notorious for its persistent and highly skilled operations targeting foreign governments, technology companies, and other high-value targets. The method by which the Russian government acquired these powerful exploits remains uncertain. Google emphasized that this situation underscores the risks associated with spyware code falling into the hands of malicious actors.
Watering Hole Attack on Mongolian Government
Google’s investigation revealed that these exploits were embedded in Mongolian government websites from November 2023 to July 2024. Visitors to these sites using iPhones or Android devices were at risk of having their devices compromised through a “watering hole” attack. This tactic involves infecting websites that are likely to be visited by the attackers’ targets. The exploits took advantage of known vulnerabilities in the Safari browser on iPhones and Google Chrome on Android devices. Although these vulnerabilities had been patched by the time the Russian campaign was underway, devices that had not been updated remained vulnerable to attack.
Targeted Attacks and Methods
The attacks on iPhones and iPads were specifically designed to steal user account cookies stored in the Safari browser, particularly those linked to online email providers used by the Mongolian government. These stolen cookies could potentially grant attackers unauthorized access to government accounts. For Android devices, two distinct exploits were used to steal cookies stored in the Chrome browser. Google’s researchers connected the reuse of this cookie-stealing code to APT29, noting that similar tactics had been observed in 2021.
Unresolved Questions: Acquisition of Exploits
A key question arising from Google’s findings is how Russian government hackers obtained the exploit code. Both the Safari and Chrome exploits bear a close resemblance to those developed by Intellexa and NSO Group, companies known for creating spyware capable of compromising even fully patched devices. Google’s analysis indicates that the exploit code used in the watering hole attacks shares a “very similar trigger” with earlier exploits developed by NSO Group. Furthermore, the code targeting iPhones and iPads used the “exact same trigger” as an exploit created by Intellexa, suggesting involvement from the same authors or providers. Clement Lecigne, a security researcher at Google, mentioned that the team does not believe the state-sponsored hackers recreated the exploit. He noted, “There are multiple possibilities as to how they could have acquired the same exploit, including purchasing it after it was patched or stealing a copy of the exploit from another customer.”
The Importance of Staying Updated
Google stressed the critical importance of keeping software up-to-date to prevent such cyberattacks and becoming a victim of spyware exploits. Users are advised to promptly apply patches to protect their devices from known vulnerabilities. Interestingly, iPhone and iPad users with Apple’s high-security Lockdown Mode enabled were reportedly unaffected by the attack, even if they were running a vulnerable software version. This highlights the effectiveness of additional security measures in safeguarding against sophisticated cyber threats.
ATYXIT is a security-first Business IT Solutions Provider and Chicago Cloud Provider. We excel in supporting and evolving company networks. Our technical support, technology consulting, project management, cyber security and IT strategy services make us the ideal IT resource for local small and medium sized businesses.
Reach out today if you need any assistance with your business technology!