Google has discovered that hackers linked to the Russian government are utilizing exploits remarkably similar to those previously employed by known spyware developers Intellexa and NSO Group.
In a recent blog announcement, Google expressed uncertainty regarding how these Russian entities attained the exploits, emphasizing the danger when spyware technology falls into the hands of malevolent actors.
Google identifies these perpetrators as APT29, a hacker collective closely associated with the SVR, Russia’s Foreign Intelligence Service. APT29 is notorious for its sophisticated espionage efforts targeting entities like Microsoft and SolarWinds, alongside various global governments.
Google uncovered stealthy exploit codes on Mongolian government websites from November 2023 to July 2024. Visitors to these websites via iPhone or Android were at risk of having their devices compromised and sensitive information such as passwords stolen in what’s described as a “watering hole” assault.
These attacks exploited known flaws in Safari and Chrome browsers on iPhones and Android devices, respectively. Despite patches being available for these vulnerabilities, unupdated devices remained vulnerable.
Google’s analysis revealed that the campaign targeted at iPhones and iPads aimed to pilfer Safari-stored user account cookies from various email services. The campaign aimed at Android devices combined two exploits to hijack user cookies in Chrome.
Clement Lecigne of Google’s Threat Analysis Group shared insights with TechCrunch, indicating that although the specific targets of the Russian hackers remain unclear, Mongolian government staff were probable victims due to the exploit locations and visitor demographics.
Lecigne further mentioned that this reuse of code ties back to Russia, citing identical cookie-stealing code observed in APT29’s activities in a prior 2021 campaign.
One major inquiry persists: How did these Russian hackers obtain such exploit code? Google reported that these operations involved code very much akin to that from Intellexa and NSO Group, infamous for their advanced spyware capable of breaching even the latest iPhone and Android models.
Specifically, iOS-targeting exploits shared identical triggers with those used by Intellexa, air-tightening the connection between the exploits’ origins. On the Android front, a similar pattern was observed with NSO Group-developed exploits, as per Google’s findings.
Lecigne confidently dismissed the notion of Russian hackers independently reproducing the exploit, suggesting acquisition through purchase or theft instead.
While NSO Group did not initially respond to inquiries, a later statement refuted selling technologies to Russia, claiming strict sales policies to U.S. and Israeli allies. The Russian Embassy, Mongolia’s U.N. Mission, Intellexa, and Apple did not comment.
Google stresses the importance of timely updates and patch applications to fend off cyber threats, with Lecigne highlighting that iPhone and iPad users with Lockdown Mode enabled were safeguarded against these exploits, even on susceptible software versions.
NSO’s response added post initial publication.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
