Russian State Hackers Exposed Using Commercial Spyware Tactics
Russian state-sponsored hackers, known as APT29 or Cozy Bear, have been exposed using commercial spyware vendors' tactics in a series of attacks on Mongolian government websites. This is a rare instance of a state-backed group reusing techniques from private spyware companies.
The first campaign, targeting iOS users, exploited an iOS WebKit vulnerability (CVE-2023-41993) to steal Safari user account cookies. The hackers also exploited vulnerabilities in Apple's Safari browser and Google Chrome on Android to distribute malware. Google Threat Analysis Group assessed these campaigns with moderate confidence to be conducted by APT29.
The exploits used in these campaigns were previously employed by commercial spyware vendors NSO Group and Intellexa. The second campaign, targeting Android users, used a Chrome exploit chain (CVE-2024-5274 and CVE-2024-4671) against unpatched devices. These attacks occurred between November 2023 and July 2024, compromising cabinet.gov[.]mn and mfa.gov[.]mn websites.
Google TAG notified the relevant parties, including Apple, Alphabet's Android and Google Chrome units, and the Mongolian CERT about the campaigns. The use of commercial spyware vendors' tactics by a state-sponsored group highlights the evolving nature of cyber threats and the importance of international cooperation in cybersecurity.
Read also:
- Planned construction of enclosures within Görlitzer Park faces delays
- Controversy resurfaces following the elimination of diesel filter systems at Neckartor: A renewed conflict over the diesel restriction policy
- Foreign financial aid for German citizens residing abroad persists
- Following the fatal accident on Canal Street in Chinatown, New York City initiates long- desired safety enhancements.
