Russian-Backed Threat Actor APT29 Linked to Multiple Exploit Campaigns Delivering N-day Mobile Exploits

A recent discovery by Google’s Threat Analysis Group (TAG) has uncovered multiple exploit campaigns linked to a Russian-backed threat actor known as APT29, Cozy Bear, and Midnight Blizzard. These campaigns were found to be delivering n-day mobile exploits that had been previously used by commercial spyware vendors.

The exploit campaigns were carried out through a watering hole attack on Mongolian government websites, specifically targeting cabinet.gov.mn and mfa.gov.mn. By injecting code to exploit known vulnerabilities in iOS and Chrome on Android, the threat actors aimed to compromise visitors’ devices.

Researchers at Google TAG noted that the exploits used in these campaigns were identical to those employed by commercial surveillance vendors Intellexa and NSO Group, indicating a potential connection between the authors and providers.

Despite the patches released for the vulnerabilities, the exploit campaigns resurfaced on three separate occasions, with the latest attack occurring just a month ago. The researchers emphasized the concerning trend of threat actors repurposing exploits originally developed by the commercial surveillance industry for malicious purposes.

While the source of these exploits remains unclear, the incident underscores the increasing threat posed by the reuse of exploits by malicious actors. As the cybersecurity landscape continues to evolve, vigilance and collaboration among researchers, industry, and governments will be crucial in mitigating these risks.