Key Takeaways
- A Russian hacker group exploited vulnerabilities in Chrome on Android and Safari’s WebKit on iOS.
- The attacks targeted the Mongolian government, stealing sensitive user data with a watering hole attack.
- Google suspects the hackers used commercially-available spyware, prompting a need for software updates.
If you ever wondered why you should always update your software, a report from Google today has your answer. The company discovered hackers potentially using commercial spyware to exploit theChrome browser on Android, as well as Apple’s WebKit on iOS. The attackers were identified as APT29, a Russian government-backed hacking group known as “Midnight Blizzard.”
The report from Google‘s Threat Analysis Group (TAG) exposed the cyberattacks targeting the Mongolian government. The attacks set up watering holes on official Mongolian websites and exploited vulnerabilities in Chrome on Android and Safari on iPhone. The exploit allowed the attackers to steal sensitive user data such as passwords and cookies. The report mentions the exploit for iPhones and iPads could steal information from web-based emails, as well.
How the attacks unfolded
The TAG report says the attacks happened between November 2023 and July 24. It began by targeting Apple WebKit vulnerabilities. APT29 set up “watering holes” on Mongolian government websites that targetted anyone who visited the sites.
A watering hole is malware set up on a frequently-visited website that attacks the site’s visitors. It can go undetected for some time because it doesn’t affect the host site.
Google says a new watering hole was set up on a Mongolian government website at the end of July 2024, specifically to target the Chrome browser on Android.
Google suspects APT29 used commercially-available spyware for their attacks. Spyware developed by consortiums like NSO Group and Intellexa is frequently used by authorities to target journalists and activist groups. Google says the recent attacks contain the same patterns as both groups’ spyware. These consortiums were victims of hacks over the past year. Intellexa was recently sanctioned by the US Government.
It is unclear if APT29 used commercially-available spyware or acquired it from some other means.
Google notified Apple immediately upon discovering the exploit and both companies have issued patches to close the vulnerabilities. It’s a stark reminder of the need to keep software up to date. Everyone should practice good cybersecurity hygiene to protect against these threats, such as not reusing passwords, using a good VPN , and not opening suspicious links from emails and texts. Thankfully, groups like Google’s TAG are out there, fighting the good fight for us all.
