Threat hunters at Google say they’ve found evidence of a Russian state-backed hacking group reusing iOS and Chrome exploits previously deployed by commercial spyware merchants NSO Group and Intellexa.
According to researchers in the Google TAG (Threat Analysis Group), Russia’s APT29 has been observed using exploits with identical or striking similarities to those used by NSO Group and Intellexa, suggesting potential acquisition of tools between state-backed actors and controversial surveillance software vendors.
The Russian hacking team, also known as Midnight Blizzard or NOBELIUM, has been blamed for several high-profile corporate hacks, including a breach at Microsoft that included the theft of source code and executive email spools.
According to Google’s researchers, APT29 has used multiple in-the-wild exploit campaigns that delivered from a watering hole attack on Mongolian government websites. The campaigns first delivered an iOS WebKit exploit affecting iOS versions older than 16.6.1 and later used a Chrome exploit chain against Android users running versions from m121 to m123.
“These campaigns delivered n-day exploits for which patches were available, but would still be effective against unpatched devices,” Google TAG said, noting that in each iteration of the watering hole campaigns the attackers used exploits that were identical or strikingly similar to exploits previously used by NSO Group and Intellexa.
Google published technical documentation of an Apple Safari campaign between November 2023 and February 2024 that delivered an iOS exploit via CVE-2023-41993 (patched by Apple and attributed to Citizen Lab).
“When visited with an iPhone or iPad device, the watering hole sites used an iframe to serve a reconnaissance payload, which performed validation checks before ultimately downloading and deploying another payload with the WebKit exploit to exfiltrate browser cookies from the device,” Google said, noting that the WebKit exploit did not affect users running the current iOS version at the time (iOS 16.7) or iPhones with with Lockdown Mode enabled.
According to Google, the exploit from this watering hole “used the exact same trigger” as a publicly discovered exploit used by Intellexa, strongly suggesting the authors and/or providers are the same.
“We do not know how attackers in the recent watering hole campaigns acquired this exploit,” Google said.
Google noted that both exploits share the same exploitation framework and loaded the same cookie stealer framework previously intercepted when a Russian government-backed attacker exploited CVE-2021-1879 to acquire authentication cookies from prominent websites such as LinkedIn, Gmail, and Facebook.
The researchers also documented a second attack chain hitting two vulnerabilities in the Google Chrome browser. One of those bugs (CVE-2024-5274) was discovered as an in-the-wild zero-day used by NSO Group.
In this case, Google found evidence the Russian APT adapted NSO Group’s exploit. “Even though they share a very similar trigger, the two exploits are conceptually different and the similarities are less obvious than the iOS exploit. For example, the NSO exploit was supporting Chrome versions ranging from 107 to 124 and the exploit from the watering hole was only targeting versions 121, 122 and 123 specifically,” Google said.
The second bug in the Russian attack chain (CVE-2024-4671) was also reported as an exploited zero-day and contains an exploit sample similar to a previous Chrome sandbox escape previously linked to Intellexa.
“What is clear is that APT actors are using n-day exploits that were originally used as zero-days by commercial spyware vendors,” Google TAG said.
Related: Microsoft Confirms Customer Email Theft in Midnight Blizzard Hack
Related: NSO Group Used at Least 3 iOS Zero-Click Exploits in 2022
Related: Microsoft Says Russian APT Stole Source Code, Executive Emails
Related: US Gov Mercenary Spyware Clampdown Hits Cytrox, Intellexa
Related: Apple Slaps Lawsuit on NSO Group Over Pegasus iOS Exploitation