Google said it had evidence that Russian government hackers were using exploits that were “identical or very similar” to those previously created by spyware manufacturers Intelexa and NSO Group.
Google said in a blog post on Thursday that while it was unclear how the Russian government obtained the vulnerability, it was an example of how vulnerabilities developed by spyware manufacturers could fall into the hands of “dangerous threat actors.”
In this case, Google says the threat comes from APT29, a highly capable hacking group widely believed to be affiliated with Russia's Foreign Intelligence Service (SVR), known for its long-running and relentless campaigns aimed at espionage and data theft against a variety of targets, including tech giants Microsoft and SolarWinds, as well as foreign governments.
Google said it found hidden exploit code embedded on Mongolian government websites between November 2023 and July 2024. Anyone who visited these sites using an iPhone or Android device during this period could have had their phone hacked through a so-called “waterhole” attack and their data, including passwords, stolen.
The exploits took advantage of vulnerabilities in iPhone's Safari browser and Google Chrome for Android that had already been patched at the time of the suspected Russian attack, but the exploits could still be effective in compromising unpatched devices.
According to the blog post, the iPhone and iPad exploit was designed to steal cookies from user accounts stored in Safari on various online email providers that host personal and work accounts for the Mongolian government. Attackers could then use the stolen cookies to access those government accounts. Google said the attack on Android devices used two separate exploits in tandem to steal user cookies stored in the Chrome browser.
Clement Roussigne, a Google security researcher who wrote the blog post, told TechCrunch that he wasn't sure who the Russian government hackers were targeting with the attack, “but given where the exploit was hosted and who typically visits these sites, we believe it was likely targeted at Mongolian government officials,” he said.
Lusigne, who works in Google's Threat Analysis Group, a security research unit that looks into government-backed cyber threats, said Google linked the code reuse to Russia because researchers had previously observed the same cookie-stealing code used by APT29 in previous attacks in 2021.
A key question remains: How did Russian government hackers get hold of the exploit code in the first place? According to Google, the two versions of the watering hole attack targeting the Mongolian government used code similar or identical to exploits from Intellexa and NSO Group, two companies known for developing exploits capable of delivering spyware that compromises fully patched iPhones and Android phones.
Google said the exploit code used in the watering hole attacks targeting Chrome users on Android shares “very similar triggers” with exploits previously developed by NSO Group. In the case of the exploits targeting iPhones and iPads, the code used “the exact same triggers as the exploits used by Intellexa,” Google said, strongly suggesting the exploits are “created or provided by the same person.”
When asked by TechCrunch about the reuse of exploit code, Lusigne said, “I don't believe the attackers recreated the exploit,” denying the possibility that the Russian hackers had discovered the exploit on their own.
“There are multiple ways that someone could have acquired the same exploit: either they purchased it after it was patched, or they stole a copy of the exploit from another customer,” Lusigne said.
Google said users should “immediately patch” and keep their software up to date to prevent malicious cyberattacks. Lusigne said iPhone and iPad users who had the high-security lockdown mode turned on were not affected, even if they were running vulnerable software versions.
TechCrunch reached out to the Russian Embassy in Washington, DC and the Mongolian Mission to the United Nations in New York for comment but did not receive a response at the time of writing. Intellexa could not be reached for comment, and NSO Group did not respond to a request for comment. Apple spokesman Shane Bauer did not respond to a request for comment.