Google has identified a connection between Russian state hackers and exploits that bear an “identical or strikingly similar” resemblance to those created by spyware companies NSO Group and Intellexa, raising concerns about the spread of commercial spyware into the hands of state-backed threat actors.
In a blog post, Google revealed its discovery of these exploits, but admitted uncertainty about how the Russian government acquired them. This incident, according to Google, illustrates the risks when spyware developed by private companies falls into the hands of highly “dangerous threat actors.”
The hackers, known as APT29, have been linked to Russia’s Foreign Intelligence Service (SVR). This group has a well-documented history of conducting cyber-espionage and data theft operations against high-profile targets, including tech companies like Microsoft and SolarWinds, as well as various government entities.
Watering Hole Attacks on iPhones, Android Devices
Google’s investigation found that the malicious code had been planted on Mongolian government websites from November 2023 to July 2024. During this period, visitors to these sites using iPhones or Android devices could have had their devices compromised and personal data, such as passwords, stolen in a type of attack known as a “watering hole.”
Watering hole attacks are a tactic where attackers compromise legitimate websites to infect site visitors.
The attackers exploited vulnerabilities in the Safari browser on iPhones and Google Chrome on Android—both of which had been patched before the Russian campaign began. However, devices that hadn’t been updated remained vulnerable.
The iPhone exploit was particularly concerning, as it was designed to capture cookies from Safari, specifically targeting accounts hosted by online email providers used by Mongolian government officials. With access to these cookies, attackers could potentially infiltrate these accounts. Similarly, the attack on Android devices employed two separate exploits to extract cookies stored in the Chrome browser.
Brief Overview of the Mongolian Campaign
The watering hole attacks compromised the Mongolian government websites cabinet[.]gov[.]mn and mfa[.]gov[.]mn. These sites loaded a hidden iframe from attacker-controlled domains.
The campaigns targeted:
- iOS Users between November 2023 & February 2024: A WebKit exploit (CVE-2023-41993) affecting devices running iOS versions older than 16.6.1. This exploit delivered a cookie stealer framework observed by TAG in a suspected APT29 campaign in 2021. The targeted websites included webmail services and social media platforms.
- Android Users with Google Chrome (July 2024): A Chrome exploit chain targeting vulnerabilities CVE-2024-5274 and CVE-2024-4671. This chain included a sandbox escape exploit to bypass Chrome’s Site Isolation protection, allowing attackers to steal a broader range of data beyond cookies.
Exploit Similarities
The iOS exploit used in the watering hole attacks mirrored one used by Intellexa in September 2023. Both exploits shared the same trigger code and exploitation framework, suggesting a potential common source. Additionally, the Chrome exploit chain incorporated techniques similar to those observed in a sandbox escape exploit used by Intellexa in 2021.
‘Strikingly Similar’ Spyware Exploits a Mystery
Clement Lecigne, the Google security researcher who authored the blog post, explained that while the exact targets of the Russian hackers are not fully known, the location of the exploit and typical visitors suggest that Mongolian government employees were likely in the crosshairs.
Lecigne, a member of Google’s Threat Analysis Group, which specializes in investigating state-sponsored cyber threats, pointed out that the exploit code reuse points to Russian involvement. The same cookie-stealing code was observed in a previous campaign by APT29 in 2021.
The mystery behind how Russian hackers initially gained access to the exploit code remains unresolved, however. Google reported that the code used in both Mongolian attacks closely matched the exploits developed by NSO Group and Intellexa, companies recognized for creating spyware capable of breaching even fully updated iPhones and Android devices.
Google emphasized that the Android exploit shared a “very similar trigger” with one from NSO Group, while the iPhone exploit used “the exact same trigger” as one from Intellexa, strongly suggesting a link between the exploit authors or providers and the Russian hackers.
‘NSO Does Not Sell to Russia’
While the claims from Google shows an overlap of exploits and potential links between Russia and private spyware vendors, the NSO Group has denied these links. Gil Lainer, Vice President for Global Communications at NSO Group, told The Cyber Express, “NSO does not sell its products to Russia.”
“Our technologies are sold exclusively to vetted US and Israel-allied intelligence and law enforcement agencies. Our systems and technologies are highly secure and are continuously monitored to detect and neutralize external threats.”
Both the U.S. and Israel have previously investigated NSO group’s clientele and kept a close eye on it.