Google Unveils Russian Government Hackers’ Usage of Spyware Exploits

In a recent blog post, Google disclosed that Russian government hackers are utilizing exploits that are either identical or strikingly similar to those previously developed by spyware manufacturers Intellexa and NSO Group. This revelation underscores the potential dangers of advanced spyware falling into the hands of malicious actors.

Uncovering the Exploits

Google’s Threat Analysis Group (TAG) identified these exploits being employed by APT29, a notorious group linked to Russia’s Foreign Intelligence Service (SVR). APT29 is well-known for its sophisticated and persistent cyber-espionage campaigns targeting major tech companies and foreign governments.

The malicious code was found embedded on Mongolian government websites from November 2023 to July 2024. Visitors to these sites using iPhones or Android devices risked having their devices compromised through a “watering hole” attack, leading to potential data theft, including passwords.

Exploits Targeting Browsers

Despite the vulnerabilities in the iPhone’s Safari browser and Google Chrome on Android being patched, the exploits remained effective on unpatched devices. The attack on iPhones aimed to steal user account cookies stored in Safari, targeting online email providers used by the Mongolian government. For Android devices, two distinct exploits were used to steal cookies from the Chrome browser.

Linking the Code to Russia

Google’s security researcher, Clement Lecigne, noted the difficulty in pinpointing the exact targets of the Russian hackers. However, the location of the exploit and typical site visitors suggested Mongolian government employees were likely targets. Lecigne emphasized that the code’s reuse pointed to Russia, as similar cookie-stealing code had been observed during a 2021 APT29 campaign.

Origins of the Exploits

One of the pressing questions is how Russian hackers obtained these exploits. Google speculated that the exploits could have been purchased post-patch or stolen from another customer. Notably, the exploit used against Chrome shared similarities with one developed by NSO Group, while the iPhone exploit mirrored one by Intellexa.

Industry Responses

NSO Group, in a statement, denied selling its products to Russia, claiming their technologies are exclusively sold to vetted U.S. and Israel-allied agencies. There were no responses from the Russian Embassy, Mongolia’s Permanent Mission to the UN, or Intellexa. Apple also did not comment.

Preventative Measures

Google advised users to promptly apply software patches to mitigate cyber threats. Lecigne highlighted that iPhone and iPad users with Lockdown Mode enabled were not affected even if running vulnerable software versions. This incident serves as a stark reminder of the importance of keeping devices updated to prevent exploitation.