Google has uncovered evidence suggesting that Russian government hackers are utilizing exploits that bear similarities to those previously used by spyware manufacturers Intellexa and NSO Group.
In a recent blog post, Google pointed out that these exploits, now in possession of the Russian government, highlight the risk of advanced cyber threats from state-sponsored actors.
The group behind these activities is APT29, linked to Russia’s SVR, known for espionage and data theft against various high-profile targets, such as Microsoft, SolarWinds, and governments.
Google’s investigation found hidden exploit code on Mongolian government websites, potentially compromising visitors’ iPhones and Android devices through a “watering hole” attack.
Despite the vulnerabilities targeting Safari and Chrome browsers being patched, the exploits could still compromise unpatched devices and steal sensitive data.
To target iPhones and iPads, the exploits aimed to steal user account cookies from Safari, while for Android devices, two different exploits were used to extract user cookies from Chrome.
Google’s security researcher Clement Lecigne noted that the reuse of code by Russian hackers and APT29 suggests a coordinated effort similar to a previous 2021 campaign.
The source of the exploit code raises questions, with Google finding similarities to known exploits from Intellexa and NSO Group, renowned for developing spyware targeting patched devices.
Lecigne suggested that the reuse of exploit codes points to a shared source between APT29 and the Russian government, rather than independent creation.
To mitigate such risks, Google advised users to promptly install patches and keep their devices updated. Users with Lockdown Mode enabled on iOS devices were not affected, even with vulnerable software versions.
Attempts to reach out to relevant parties for comments, including the Russian Embassy, Mongolia’s Permanent Mission, Intellexa, NSO Group, and Apple, were unsuccessful at the time of publication.
