Russia's APT29 using spyware exploits in new campaigns

Russia's APT29 is suspected of exploiting former zero-day flaws in Apple WebKit and Google Chrome in a series of attacks that strongly resemble spyware exploits, according to a Thursday report from Google's Threat Analysis Group.

Google TAG's report tracked multiple exploit campaigns that occurred between November 2023 and July 2024. The campaigns utilized "an iOS WebKit exploit affecting iOS versions older than 16.6.1 and then later, a Chrome exploit chain against Android users running versions from m121 to m123," the report read. Researchers attributed the campaign with moderate confidence to Russia-backed threat group APT29, also known as Cozy Bear and Nobelium, which was responsible for the infamous 2020 supply chain attack against SolarWinds.

The exploits were delivered via watering hole attacks involving Mongolian government websites, and the campaigns "delivered n-day exploits for which patches were available, but would still be effective against unpatched devices," Google said. Moreover, the exploits could have originated from spyware vendors, which Google refers to as commercial surveillance vendors.

"In each iteration of the watering hole campaigns, the attackers used exploits that were identical or strikingly similar to exploits previously used by commercial surveillance vendors (CSVs) Intellexa and NSO Group," Google's report read.

The report described the attack in three iterations, occurring in November 2023, February 2024 and July 2024. The earlier two attacks utilized CVE-2023-41993, an Apple WebKit bug credited to Bill Marczak of Citizen Lab at the University of Toronto's Munk School, as well as Maddie Stone at Google TAG. Citizen Lab research from last September claimed that it and other flaws were being used by Cytrox's Predator spyware.

Google said that in the November campaign, two Mongolian state websites (cabinet.gov[.]mn anmfa.gov[.]mn) included an iframe delivering the WebKit vulnerability to iPhone users running versions 16.6.1 or older. TAG previously observed the cookie stealing framework being used in a suspected APT29 campaign in 2021. "This is the first time it has been observed since the 2021 campaign," the report read.

The February attack was very similar, utilizing a similar poisoned iframe on a Mongolian state site (mfa.gov[.]mn) as well as the same flaw targeting the same iPhone users. The primary differentiator was that the list of poisoned state websites was updated to include additional ones (such as webmail.mfa.gov[.]mn/owa/auth).

"When visited with an iPhone or iPad device, the watering hole sites used an iframe to serve a reconnaissance payload, which performed validation checks before ultimately downloading and deploying another payload with the WebKit exploit to exfiltrate browser cookies from the device," the report read. "The WebKit exploit did not affect users running the current iOS version at the time (iOS 16.7), working only on iOS versions 16.6.1 or older. Users with lockdown mode enabled were not affected, even when running a vulnerable iOS version."

The July attack was more distinct in that the poisoned iframe targeted Android users via a Chrome exploit chain rather than iPhone users. The ultimate goal in these attacks was credential theft.

"mfa.gov[.]mn was compromised again to include a piece of javascript redirecting Android users using Google Chrome to https://track-adv[.]com/analytics.php?personalization_id=<random number>," the report read. "The iframe delivered a Google Chrome exploit chain targeting CVE-2024-5274 and CVE-2024-4671 to deploy a Chrome information stealing payload."

Regarding spyware vendors, the report said NSO Group previously exploited CVE-2024-5274 as zero-day in May, while Intellexa exploited CVE-2023-41993 as a zero-day last September. It's unclear who first exploited CVE-2024-4671, which was disclosed as a zero-day vulnerability May 9. The TAG report did not attribute the initial exploitation to a specific threat actor or group, but researchers noted that APT29's exploit strongly resembled an Intellexa exploit for CVE-2021-37973, an older sandbox escape flaw in Chrome.

"While we are uncertain how suspected APT29 actors acquired these exploits, our research underscores the extent to which exploits first developed by the commercial surveillance industry are proliferated to dangerous threat actors," the report said.

Google said it notified Mongolian CERT to remediate infected websites, and that, "Although the underlying vulnerabilities had already been addressed, we notified both Apple and our partners at Android and Google Chrome about the campaigns at the time of discovery."

A Google spokesperson told TechTarget Editorial that although Chrome flaws CVE-2024-5274 and CVE-2024-4671 were initially exploited as zero-days, Google does not believe APT29 "was the first to exploit these vulnerabilities."

Apple did not respond to TechTarget Editorial's request for comment.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.