Russian APT29 hackers use iOS, Chrome exploits created by spyware vendors

Russia

The Russian state-sponsored APT29 hacking group has been observed using the same iOS and Android exploits created by commercial spyware vendors in a series of cyberattacks between November 2023 and July 2024.

The activity was discovered by Google’s Threat Analysis Group (TAG), who said the n-day flaws have already been patched but remain effective on devices that have not been updated.

APT29, also known as “Midnight Blizzard”, targeted multiple websites of the Mongolian government and employed “watering hole” tactics.

A watering hole is a cyberattack where a legitimate site is compromised with malicious code designed to deliver payloads to visitors that meet specific criteria, like device architecture or location (IP-based).

Interestingly, TAG notes that APT29 used exploits that were almost identical to those used by commercial surveillance-ware vendors like NSO Group and Intellexa, who created and leveraged the flaws as zero days when no fix was available.

Timeline of attacks

Google’s threat analysts note that APT29 has a long history of exploiting zero-day and n-day vulnerabilities.

In 2021, the Russian cyber-operatives exploited CVE-2021-1879 as a zero-day, targeting government officials in Eastern Europe, attempting to deliver a cookie-stealing framework that snatched LinkedIn, Gmail, and Facebook accounts.

In November 2023, APT29 compromised Mongolian government sites ‘mfa.gov[.]mn’ and ‘cabinet.gov[.]mn’ to add a malicious iframe that delivered an exploit for CVE-2023-41993.

November 2023 attack chain
November 2023 attack chain
Source: Google

This is an iOS WebKit flaw that APT29 leveraged for stealing browser cookies from iPhone users running iOS 16.6.1 and older.

TAG reports that this exploit was exactly the same as the one Intellexa used in September 2023, leveraging CVE-2023-41993 as a zero-day vulnerability at the time.

Exploit similarities (left is APT29)
Exploit code overlaps (left is APT29)
source: Google

In February 2024, APT29 compromised another Mongolian government website, ‘mga.gov[.]mn,’ to inject a new iframe delivering the same exploit.

On July 2024, APT leveraged exploits for CVE-2024-5274 and CVE-2024-4671, impacting Google Chrome, to attack Android users visiting ‘mga.gov[.]mn’.

Chaining two Google Chrome flaws in the attack
Chaining two Google Chrome flaws
source: Google

The purpose was to steal cookies, passwords, and other sensitive data stored on the victims’ Chrome browser.

The exploit used for CVE-2024-5274 is a slightly modified version of that NSO Group used for zero-day exploitation in May 2024, while the exploit for CVE-2024-4671 featured many similarities to Intellexa’s previous exploits.

Timeline of exploitation
Timeline of exploitation
source: Google

Previously known only to spyware vendors

It is unknown how the APT29 hackers gained access to the exploits previously known only to NSO Group and Intellexa. However, independently creating their own exploits with the limited information seems unlikely.

Possible explanations include APT29 hacking spyware vendors, recruiting or bribing rogue insiders working at those firms or maintaining a collaboration either directly or via an intermediary. 

Another possibility is their purchase from a vulnerability broker who previously sold them to surveillance companies as zero-days.

No matter how these exploits reach sophisticated state-backed threat groups, the key issue is that they do. This makes it even more critical to promptly address zero-day vulnerabilities labeled as ‘under limited scope exploitation’ in advisories—far more urgent than mainstream users might realize.