Google says Russian group targeted Mongolian government with exploits used by NSO Group

Google security researchers said they uncovered an espionage campaign against websites run by the Mongolian government, attributing the operation to Russia-backed hackers using exploits previously deployed by commercial surveillance vendors Intellexa and NSO Group.

A Google spokesperson told Recorded Future News that the campaign stood out because it was the first time the researchers saw alleged members of the Russian group tracked as APT29 using the same exploits as those sold by commercial surveillance vendors. 

“We do not know how they were acquired and if Intellexa or NSO knowingly sold them to the Russian government,” they added.

The campaign used the websites as “watering holes” — a type of attack that targets specific groups of people by compromising popular platforms they are likely to visit. In a report posted Thursday, Google’s Threat Analysis Group (TAG) said the operation ran between November 2023 and July 2024. 

APT29 added malicious code to the website for Mongolia’s Ministry of Foreign Affairs and the website for the country’s cabinet, Google said. 

The campaigns first delivered exploits targeting iPhone users and then added versions to target Android and Chrome users, the researchers said. Patches have been released for all of the exploits but the campaign would have been successful against those who have not patched their devices. 

The Apple vulnerability — CVE-2023-41993 — affects iPhone users running versions 16.6.1 or older, and TAG found tactical evidence tying it to a previously observed campaign run by APT29. The Google bugs targeted were CVE-2024-5274 and CVE-2024-4671. 

TAG said it notified Mongolia’s cybersecurity bureau and Apple as well as Android and Google Chrome about the campaign. 

The goal of the campaign was to exfiltrate browser cookies from a device. TAG explained that the Apple exploit “used the exact same trigger” as an exploit used by Intellexa, “strongly suggesting the authors and/or providers are the same.”

Intellexa was blacklisted by the U.S. government last year for its role in manufacturing spyware. 

TAG shared images that showed both the exploit used in the watering hole attack and the exploit deployed by Intellexa in September 2023 had the same code. 

“The iOS exploit loaded the same cookie stealer framework that TAG observed in March 2021 when a Russian government-backed attacker exploited CVE-2021-1879 to acquire authentication cookies from prominent websites such as LinkedIn, Gmail, and Facebook,” TAG explained. “In that campaign, attackers used LinkedIn Messaging to target government officials from western European countries by sending them malicious links.”

NSO Group tools

The attacks on Apple and Android devices used various tools to identify which hardware was attempting to access the websites before initiating the attacks. 

The Android-focused operation used CVE-2024-5274, which was discovered by TAG in May after it was used by NSO Group. NSO Group is one of the most prominent spyware companies in the world, facing immense backlash after its tools were discovered in a campaign against dozens of world leaders, journalists, human rights workers and more. 

The exploit used by NSO Group was adapted and changed by APT29 in ways that went beyond how the attackers did with the Intellexa exploit for Apple devices. 

TAG said at the end of July, they discovered a new watering hole attack targeting Mongolia’s mfa.gov[.]mn website where they inserted code used to deliver a Google Chrome exploit chain to Android users.

“From a high level overview, the attack and end goal are essentially the same as the iOS one – using n-day vulnerabilities in order to steal credential cookies – with some differences on the technical side,” TAG said. 

The goal for the Chrome-focused campaign was to steal saved cookies for all websites, as well as account data like credit cards, passwords stored in Chrome, a user’s Chrome history and more. 

While the researchers do not know how the exploits were obtained by APT29, they warned that similar advanced persistent threat (APT) groups are now using exploits that were originally used by commercial vendors. 

Watering hole attacks “remain a threat where sophisticated exploits can be utilized to target those that visit sites regularly, including on mobile devices,” TAG said. 

APT29 — associated with Russia’s foreign intelligence service, the SVR — is one of the Kremlin’s highest-profile hacking operations. The group, also known as Cozy Bear, recently drew headlines for an attack on popular remote access software company TeamViewer.

Recorded Future News reported three weeks ago that APT29 was also responsible for accessing emails and data from officials working within the British government through an attack on Microsoft earlier this year.