The Russian-based APT29 group was seen using the same iOS and Google Chrome exploits as commercial surveillanceware vendors NSO Group and Intellexa, in an espionage campaign that targeted the Mongolian government.
Researchers that discovered the campaign do not know how the APT attackers acquired the exploit. The exploits were observed in three separate attacks that researchers linked “with moderate confidence” to APT29 in November 2023, February 2024 and July 2024. These campaigns stemmed from watering hole attacks impacting Mongolian government websites, where threat actors compromised the sites and loaded a hidden iframe from an attacker-controlled website.
“In each iteration of the watering hole campaigns, the attackers used exploits that were identical or strikingly similar to exploits previously used by commercial surveillance vendors (CSVs) Intellexa and NSO Group,” according to researchers with Google’s Threat Analysis Group (TAG) in a Thursday analysis. “Although the underlying vulnerabilities had already been addressed, we notified both Apple and our partners at Android and Google Chrome about the campaigns at the time of discovery. We also notified the Mongolian CERT to remediate the infected websites.”
The watering hole iframe in the November 2023 and February 2024 attacks included an exploit for iPhone users running iOS versions 16.6.1 and older, which targeted a WebKit arbitrary code execution bug (CVE-2023-41993). Researchers said that the exploit in the watering hole attack utilized the same trigger code as an exploit used by Intellexa, “strongly suggesting the authors and/or providers are the same.” Intellexa had first exploited this flaw in September 2023 as a zero day.
Then in July 2024, the APT group used an iframe with a Google Chrome exploit chain targeting a type confusion bug (CVE-2024-5274) in V8 and a use after free (CVE-2024-4671) in Google’s Visuals component, in order to deploy an information stealing payload. Again, the trigger code for CVE-2024-5274 used in this campaign was the same as the code used by the NSO Group in a zero-day campaign in May 2024.
Both Intellexa and NSO Group are known for providing law enforcement and intelligence agencies with spyware - the Predator spyware for Intellexa and Pegasus for NSO Group - that have various information stealing, surveillance and remote-access capabilities.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, said there are several scenarios that could have played out here.
“One option is that APT29 found the vulnerability themselves, and decided to exploit it,” said Galperin. “The other is that they purchased the vulnerability on the open market. And the third is that they didn’t write an exploit until after the vulnerability had been reported, and therefore didn’t even have to go find it, they just had to write an exploit for it and were able to exploit unpatched systems, which is probably the most likely scenario.”
Overall, researchers with Google’s TAG team said that the activity shows how exploits developed by the commercial surveillance industry are eventually spread to and used by threat actors.
“We do not know how the attackers acquired these exploits,” said Google TAG researchers. “What is clear is that APT actors are using n-day exploits that were originally used as 0-days by CSVs. It should be noted that outside of common exploit usage, the recent watering hole campaigns otherwise differed in their approaches to delivery and second-stage objectives.”