The Russian state-sponsored hacking group APT29, also known as "Midnight Blizzard," has been found utilising iOS and Android exploits originally developed by commercial spyware vendors in a series of cyber-attacks conducted between November 2023 and July 2024. This activity was uncovered by Google's Threat Analysis Group (TAG), which highlighted the use of vulnerabilities that, although patched, continue to pose a significant threat to unpatched devices.
Discovery of APT29's Activities
The APT29 group is notorious for its advanced cyber operations, often targeting governmental and high-value entities. In this recent campaign, APT29 focused its efforts on several Mongolian government websites, employing "watering hole" tactics. A watering hole attack involves compromising legitimate websites with malicious code, which is then used to deliver payloads to specific visitors, usually based on criteria such as device type or geographic location.
According to TAG, APT29's recent exploits were almost identical to those used by well-known commercial surveillance vendors like NSO Group and Intellexa. These companies originally developed the vulnerabilities as zero-day exploits, meaning they were unknown and unpatched at the time of their discovery and initial use.
Timeline of the Attacks
APT29 has a well-documented history of exploiting both zero-day and n-day vulnerabilities. In 2021, the group exploited CVE-2021-1879, a zero-day vulnerability, to target government officials in Eastern Europe, aiming to steal cookies from accounts on LinkedIn, Gmail, and Facebook.
The more recent series of attacks began in November 2023, when APT29 compromised Mongolian government websites, including 'mfa.gov[.]mn' and 'cabinet.gov[.]mn.' They injected a malicious iframe into these sites, delivering an exploit for CVE-2023-41993, an iOS WebKit flaw. This exploit targeted iPhone users running iOS 16.6.1 and older, aiming to steal browser cookies. Interestingly, TAG noted that the exploit used by APT29 was identical to one previously leveraged by Intellexa as a zero-day vulnerability in September 2023.
In February 2024, APT29 expanded their campaign by compromising another Mongolian government site, 'mga.gov[.]mn,' and delivering the same iOS WebKit exploit via a new iframe. By July 2024, APT29 shifted their focus to Android users, exploiting CVE-2024-5274 and CVE-2024-4671, both vulnerabilities in Google Chrome, to attack visitors of the 'mga.gov[.]mn' website. The goal was to steal sensitive data, including cookies and passwords stored in Chrome.
TAG noted that the exploit for CVE-2024-5274 was a modified version of one previously used by NSO Group in May 2024, while the exploit for CVE-2024-4671 bore striking similarities to Intellexa’s earlier exploits.
Unanswered Questions and Speculations
One of the most intriguing aspects of this campaign is how APT29 acquired these sophisticated exploits, which were initially exclusive to commercial spyware vendors. It is unlikely that APT29 independently developed these exploits without prior access to the original code or detailed knowledge.
There are several possible scenarios: APT29 may have hacked into spyware vendors, recruited or bribed insiders within those companies, or collaborated with these vendors either directly or through intermediaries. Another possibility is that APT29 purchased these exploits from a vulnerability broker who had previously sold them to surveillance firms as zero-day vulnerabilities.
The Broader Implications
The fact that state-backed threat groups like APT29 can access and utilise highly sophisticated exploits initially developed by commercial spyware vendors raises serious concerns. It underscores the critical need for organisations and individuals to promptly address zero-day vulnerabilities, especially those identified as "under limited scope exploitation" in security advisories. Failing to do so could leave systems vulnerable to attacks long after the initial discovery of a flaw, as seen in these recent campaigns by APT29.
