Cyber criminals use spyware manufacturers as a model for attacking browsers

IT security researchers have detected several cyberattacks on visitors to previously infected Mongolian government websites in recent months. These attacks are most likely attributed to a Russian-backed criminal group. They exploited the same vulnerabilities and found the same modus operandi used by commercial spyware vendors such as Intellexa and the NSO Group. The attackers were able to extract data from visitors' web browsers, such as cookies, passwords and internet histories, by injecting malware into websites.

The attackers are believed to be APT29 (also known as "Cozy Bear"), a group of cyber criminals supported by the Russian government. This gang is also accused of cyber attacks on the software provider SolarWinds and attempted election manipulation in the USA. Most recently, a linguistically unsuccessful spear phishing attack on the CDU was attributed to the group, even before a gap in the Check Point Gateway was identified as the gateway for the latest CDU attack. APT29 is believed to be associated with the Russian military intelligence service GRU.

Google's Threat Analysis Group (TAG) has now linked the group to cyberattacks on the websites of the Mongolian cabinet and the country's foreign ministry. They used the websites as a so-called "watering hole" – normal, unsuspicious and frequently visited websites to infect them with malware. In this case, hidden iFrames were delivered through which visitors' data could be tapped, as TAG writes.

Attacks on internet users with smartphones

Initially, visitors' iPhones were attacked, namely in November 2023 and February 2024, in order to read cookies and data stored there. In July 2024, Android Chrome users among the visitors were also attacked, with hidden iFrames being used in all cases. Although the relevant security vulnerabilities had already been closed by the manufacturers at the times mentioned, many devices had not yet been updated or patched accordingly.

The TAG notes that the code used in the attack on iPhones used "exactly the same trigger as the Intellexa exploit". The Android attack, on the other hand, was slightly modified from the NSO Group's approach, but used a "very similar trigger", although it is conceptually different and the similarities are less obvious than with the iOS attack. While only cookie data could be captured from iPhones, the Android attack also affected log-in data stored in the Chrome browser and Internet history.

Spyware bought and copied or everything just stolen?

It remains unclear how the Russian cyber attackers obtained the details on how to exploit these vulnerabilities. They could have bought or stolen the information from the commercial spyware manufacturers Intellexa or the NSO Group. According to TAG, there is nothing to suggest that these attacks were developed entirely in-house.

The European Intellexa consortium is known for its Predator spyware, which, according to the USA, is used worldwide as a means of digital repression. This is why they stepped up their action against developers and providers of commercial spyware at the beginning of this year and took action against leading heads of the Intellexa spyware developers. The NSO Group is known for its Pegasus spyware, which was recently used to attack journalists critical of Putin in the EU.

(fds)