Google is urging its users to ‘apply patches quickly’ and ‘keep software fully up-to-date’ after discovering a nine-month-long cyberattack it has tied to Russian spies.
Worse still, this Russian espionage campaign appears to have leveraged commercial ‘spyware’ developed by a Greek cyber intelligence firm — that had been sanctioned by the US government this March for ‘misuse of surveillance tools.’
Spyware made by the firm, Intellexa, based on the island of Cyprus, have been implicated in attacks everywhere from Ireland to Vietnam to the United States.
Fortunately, according to Google, most of the vulnerabilities exploited by this specific hacking operation have been patched for users who installed crucial updates to Apple iOS and its Safari browser and Google Chrome.
Google is urging its users to ‘apply patches quickly’ after discovering a nine-month-long cyberattack it has tied to Russian spies. The tech giant said these vulnerabilities have been patched for users who installed updates to Apple iOS, its Safari browser and Google Chrome
Google’s Threat Analysis Group assessed with ‘moderate confidence’ that the hacking campaigns it uncovered were linked to Russia’s Foreign Intelligence Service (SVR). Above, Vladimir Putin visiting SVR’s Moscow headquarters on the spy agency’s 100th anniversary
In their report, Google’s Threat Analysis Group noted that the flaws exposing iPhone or iPad users to these attacks were patched in September 2023 for anyone who has updated to Apple iOS 16.7 and Safari 16.6.1.
Similarly, for Android phone owners and users of the Google Chrome browser, their own vulnerabilities to these attacks were fixed by May 2024 with Chrome version 124.0.6367.201/.202 for Windows and macOS, and version 124.0.6367.201 for Linux.
‘We notified both Apple and our partners at Android and Google Chrome about the campaigns at the time of discovery,’ Google security engineer Clément Lecigne said.
Lecigne, who is based in Switzerland, added that Google’s threat analysis assessed with ‘moderate confidence’ that the hacking campaigns the discovered in the wild were ‘linked to the Russian government-backed actor APT29.’
Sometimes known as Cozy Bear or Group 100, APT29 is an evolving set of hacking and spyware tools that Western intelligence has long accused of being the work of a hacking team acting on behalf of Russia’s foreign spy agency, SVR.
The APT29 hacking payloads were discovered hidden on government websites for the Mongolia’s cabinet and ministry of foreign affairs — suggesting espionage goals.
‘We also notified the Mongolian CERT [Cybersecurity Emergency Response Teams] to remediate the infected websites,’ Lecigne noted in his report.
But Google’s cybersecurity researchers advised that there is wider concern that this form of attack is likely to be replicated, not only by Russian state-sponsored hackers but by any well-trained team using these same spyware tools.
In a timeline published with their new report on these case, Google’s Threat Analysis Group noted that the core ‘exploits’ used to turn these two Mongolian government websites into a ‘watering hole’ trap for unsuspecting visitors on the web — likely officials of this central Asian country and perhaps US diplomats and spies in the region — came from commercial spyware companies.
‘In each iteration of the watering hole campaigns,’ Lecigne’s report noted, ‘the attackers used exploits that were identical or strikingly similar to exploits from CSVs [commercial surveillance vendors] Intellexa and NSO Group.’
Since at least November 2021, the Biden Administration has blacklisted the mercenary spyware firm NSO Group on the US Commerce Department’s Entity List barring American companies from doing business with the Israeli outfit.
In a timeline published with their new report, Google’s Threat Analysis Group noted that the core ‘exploits’ used to turn two Mongolian government websites into a ‘watering hole’ trap for unsuspecting visitors on the web came from two spyware companies sanctioned by the US
One of those firms, Intellexa, was sanctioned this March for its Predator tool, by which hackers can infiltrate devices through stunning ‘zero-click’ attacks that require no user interaction
The White House accused NSO of allowing its proprietary Pegasus software of being ‘misused around the world to enable human rights abuses, including to target journalists, human rights activists, or others perceived as dissidents and critics.’
Intellexa was similarly sanctioned for its Predator tool, by which hackers can infiltrate devices through stunning ‘zero-click’ attacks that require no user interaction.
Google’s security team noted that it alarming to see suspected Russian state actors benefiting from already patched security flaws via commercial spyware packages.
The campaign clearly implied that spies hoped to infiltrate a maximum number of Mongolian government officials and visiting foreign diplomats, banking on individuals failing to update their personal web-browsing software.
Older patched security flaws, called n-day exploits, typically have been thought of as less of a security concern than brand new unpatched flaws, known as 0-day exploits.
‘We do not know how the attackers acquired these exploits,’ Lecigne cautioned.
‘What is clear,’ he noted, ‘is that APT actors are using n-day exploits that were originally used as 0-days by CSVs.’