The Russian state-sponsored APT29 hacking group has been observed using the same iOS and Android exploits created by commercial spyware vendors in a series of cyberattacks between November 2023 and July 2024.
The activity was discovered by Google’s Threat Analysis Group (TAG), who said the n-day flaws have already been patched but remain effective on devices that have not been updated.
APT29, also known as “Midnight Blizzard”, targeted multiple websites of the Mongolian government and employed “watering hole” tactics.
A watering hole is a cyberattack where a legitimate site is compromised with malicious code designed to deliver payloads to visitors that meet specific criteria, like device architecture or location (IP-based).
Interestingly, TAG notes that APT29 used exploits that were almost identical to those used by commercial surveillance-ware vendors like NSO Group and Intellexa, who created and leveraged the flaws as zero days when no fix was available.
Timeline of attacks
Google’s threat analysts note that APT29 has a long history of exploiting zero-day and n-day vulnerabilities.
In 2021, the Russian cyber-operatives exploited CVE-2021-1879 as a zero-day, targeting government officials in Eastern Europe, attempting to deliver a cookie-stealing framework that snatched LinkedIn, Gmail, and Facebook accounts.
In November 2023, APT29 compromised Mongolian government sites ‘mfa.gov[.]mn’ and ‘cabinet.gov[.]mn’ to add a malicious iframe that delivered an exploit for CVE-2023-41993.
This is an iOS WebKit flaw that APT29 leveraged for stealing browser cookies from iPhone users running iOS 16.6.1 and older.
TAG reports that this exploit was exactly the same as the one Intellexa used in September 2023, leveraging CVE-2023-41993 as a zero-day vulnerability at the time.
In February 2024, APT29 compromised another Mongolian government website, ‘mga.gov[.]mn,’ to inject a new iframe delivering the same exploit.
On July 2024, APT leveraged exploits for CVE-2024-5274 and CVE-2024-4671, impacting Google Chrome, to attack Android users visiting ‘mga.gov[.]mn’.
The purpose was to steal cookies, passwords, and other sensitive data stored on the victims’ Chrome browser.
The exploit used for CVE-2024-5274 is a slightly modified version of that NSO Group used for zero-day exploitation in May 2024, while the exploit for CVE-2024-4671 featured many similarities to Intellexa’s previous exploits.
Previously known only to spyware vendors
It is unknown how the APT29 hackers gained access to the exploits previously known only to NSO Group and Intellexa. However, independently creating their own exploits with the limited information seems unlikely.
Possible explanations include APT29 hacking spyware vendors, recruiting or bribing rogue insiders working at those firms or maintaining a collaboration either directly or via an intermediary.
Another possibility is their purchase from a vulnerability broker who previously sold them to surveillance companies as zero-days.
No matter how these exploits reach sophisticated state-backed threat groups, the key issue is that they do. This makes it even more critical to promptly address zero-day vulnerabilities labeled as ‘under limited scope exploitation’ in advisories—far more urgent than mainstream users might realize.