In a significant development in the cybersecurity landscape, the Russian-speaking hacking group APT29, also known as Midnight Blizzard and Cozy Bear, has been observed utilizing iOS and Android exploits originally created by commercial spyware manufacturers. This revelation comes from the Google Threat Analysis Group (TAG), highlighting a concerning trend in the evolution of state-sponsored cyber attacks.
Timeline and Tactics of APT29’s Recent Campaign
According to TAG specialists, APT29 conducted a series of sophisticated attacks between November 2023 and July 2024. The group’s primary target was the Mongolian government, compromising several of its websites and employing the “watering hole” technique. This method involves injecting malicious code into legitimate websites, waiting for specific victims to visit based on criteria such as device architecture or location.
Exploitation of iOS Vulnerabilities
In November 2023, APT29 breached the Mongolian government websites cabinet.gov[.]mn and mfa.gov[.]mn. The attackers inserted a malicious iframe that delivered an exploit for the CVE-2023-41993 vulnerability in iOS WebKit. This exploit, targeting iPhones running iOS 16.6.1 and older, was used to steal user cookies. Notably, this exploit was identical to one used by Intellexa in September 2023 when the vulnerability was still a zero-day.
Targeting Android Users
The group’s tactics evolved in July 2024 when they exploited vulnerabilities CVE-2024-5274 and CVE-2024-4671 affecting Google Chrome. These exploits were deployed against Android users visiting the mga.gov[.]mn website, with the objective of stealing cookies, passwords, and other sensitive data stored in victims’ browsers.
Connections to Commercial Spyware Vendors
The investigation revealed striking similarities between APT29’s exploits and those used by commercial spyware vendors like NSO Group and Intellexa. The exploit for CVE-2024-5274 was a slightly modified version of an NSO Group exploit used in May 2024, while the one for CVE-2024-4671 shared many characteristics with previous Intellexa exploits.
This unexpected connection raises questions about how APT29 obtained access to these sophisticated exploits. TAG researchers speculate several possibilities:
- Compromising commercial spyware vendors
- Recruiting or bribing employees of these companies
- Direct collaboration with the companies or through intermediaries
- Purchasing exploits from vulnerability brokers who previously sold them to NSO Group and Intellexa as zero-days
The discovery of APT29’s use of commercial-grade exploits marks a significant escalation in the capabilities of state-sponsored hacking groups. It underscores the need for heightened vigilance and robust cybersecurity measures, especially for government entities and organizations handling sensitive information. As the line between commercial spyware and state-sponsored cyber operations continues to blur, the global cybersecurity community must adapt its strategies to confront these evolving threats effectively.
