In an analysis by Clement Lecigne and Josh Atkins from Google’s Threat Analysis Group and Mandiant’s Luke Jenkins, multiple in-the-wild attacks spanning a nine-month period have been confirmed as being attributed to a hacking group known as APT29, which has links to the Russian government.
The attacks targeted both Android and iOS users with exploits against Apple Safari and Google Chrome browsers. Here’s what we know and how you can mitigate the risk of falling victim.
The APT29 Attacks Against Chrome and Safari Mobile Browsers Explained
The Google TAG report, authored by Clement Lecigne, and published on August 29, revealed that the exploits being deployed by the Russian state-sponsored APT29 hacking group were the same as those used by commercial spyware vendors in the past.
Observed by the Google and Mandiant security analysts between November 2023 and July 2024, the exploits formed part of what is known as a watering hole attack. This is pretty much what you would expect it to be: a cyberattack targeting victims by infecting a website or service that they would ordinarily use and trust. Just like predators who attack their prey by hiding near real watering holes for thirsty animals at their most vulnerable. “The use of watering hole attacks circumvents traditional web security controls like URL categorization filters,” Adam Maruyama, field chief technology officer at Garrison Technology said, “because the owner of the site and the human-readable content hosted there are legitimate, leaving only a few layers of protection between the end user’s device and the malicious webcode.” The threat becoming even more acute on mobile devices, Maruyama continued, “where few users have endpoint protection products to stop even known exploits, leaving unpatched devices vulnerable.”
The prey in these particular attacks were Mongolian government websites, although the same tactic would apply to any targeted victim. State-sponsored groups such as APT29 tend to go for big game, as it were, being commercial and government organizations that benefit their paymasters most. The common denominator was that the victims were using the Safari browser on older versions of iOS (those before 16.6.1) initially and then Android users running the m121 to m123 versions of the Chrome browser. It should be noted that fixes had already been made available for the vulnerabilities exploited in these attacks, but users who were using unpatched versions were at risk.
iOS And Android Browsers In The Exploit Frame
The iOS exploit used the same cookie-stealer framework that had previously been seen used in a 2012 attack, again by a Russian government-backed attacker according to Lecigne, which went after authentication cookies from sites such as LinkedIn, Gmail and Facebook. “In that campaign,” Lecigne said, “attackers used LinkedIn Messaging to target government officials from Western European countries by sending them malicious links.” In this campaign, the attackers used a reconnaissance payload from the compromised website to determine if the user had an infectable iPhone or iPad before delivering the actual exploit.
The Chrome campaign against Android users followed a similar pattern but required an “additional sandbox escape vulnerability to break out of Chrome site isolation,” Lecigne said. The site isolation function means that attackers must chain a number of vulnerabilities together for success, which, while not impossible, as this attack shows, requires more capability and resources. “Although the trend in the mobile space is towards complex full exploit chains,” Lecigne said, “the iOS campaign is a good reminder of the fact that a single vulnerability can inflict harm and be successful.”
Mitigating Against Watering Hole Attacks
“Cybersecurity arrangements must be agile and constantly updated to keep up with the evolving threat landscape. Cybercriminals are constantly developing new tactics, techniques, and procedures to exploit vulnerabilities and bypass security controls,” Spencer Starkey, a vice-president at SonicWall said, “and companies must be able to quickly adapt and respond to these threats.”
Organizations should certainly be looking at deploying such things as hardware-enforced browser isolation which pushes code execution away from the end user device and into a sandboxed environment. “Putting the code execution in a sandbox ensures that the user has access to the information presented on the page,” Maruyama said, “but is not exposed to malicious code presented when a less-secure government’s websites are turned into watering holes.”
End users, meanwhile, should always ensure that their devices, and the apps installed upon them, are updated with the very latest security patches.