close
close

Android and iOS Users Attacked by Russian APT29 Hackers, Google Warns

Android and iOS Users Attacked by Russian APT29 Hackers, Google Warns

The analysis, conducted by Clement Lecigne and Josh Atkins of the Threat Analysis Group at Google and Luke Jenkins of Mandiant, found that multiple attacks carried out over a nine-month period were attributed to a hacking group known as APT29, which has ties to the Russian government.

The attacks targeted both Android and iOS users, using exploits against Apple Safari and Google Chrome. Here’s what we know and how you can reduce your risk of becoming a victim.

ForbesFBI Issues Urgent Ransomware Warning – Do These 3 Things Now

APT29 Attacks on Chrome and Safari Mobile Browsers Explained

A Google TAG report authored by Clement Lecigne and published on August 29 revealed that the attacks deployed by the Russian state-sponsored hacking group APT29 are the same as those used by commercial spyware vendors in the past.

Observed by Google and Mandiant security researchers between November 2023 and July 2024, the exploits were part of what’s known as a watering hole attack. It’s pretty much what you’d expect: a cyberattack that targets victims by compromising a site or service they typically use and trust. Much like predators that target their prey by hiding near real watering holes for thirsty animals at their most vulnerable moments. “The use of watering holes bypasses traditional network security controls like URL categorization filters,” said Adam Maruyama, director of field technology at Garrison Technology, “because the site owner and the human-readable content hosted there are legitimate, leaving only a few layers of protection between the end-user device and the malicious web code.” The threat becomes even more acute on mobile devices, Maruyama continued, “where few users have endpoint protection products that stop even known exploits, leaving unpatched devices vulnerable to attacks.”

The victims of these particular attacks were Mongolian government sites, although the same tactics would apply to any chosen victim. State-sponsored groups like APT29 tend to go for the big game, as they say, being the commercial and government organizations that benefit their payers the most. The common denominator was that the victims were initially using Safari on older versions of iOS (those prior to 16.6.1), followed by Android users using Chrome versions m121 to m123. It should be noted that patches have already been released for the vulnerabilities exploited in these attacks, but users running unpatched versions were at risk.

ForbesSecret Service places $2.5 million bounty on most wanted hacker’s head

iOS and Android browsers in the exploit frame

The iOS exploit used the same cookie-stealing framework previously seen in a 2012 attack, again by an attacker backed by the Russian government, according to Lecigne, who targeted authentication cookies from sites like LinkedIn, Gmail, and Facebook. “In that campaign,” Lecigne said, “the attackers used LinkedIn Messaging to target government officials from Western European countries by sending them malicious links.” In that campaign, the attackers used a reconnaissance payload from an infected site to determine whether a user had an infected iPhone or iPad before delivering the actual exploit.

Chrome’s campaign against Android users followed a similar pattern, but required “an additional sandbox escape vulnerability to break out of Chrome’s site isolation,” Lecigne said. Site isolation means attackers have to string together a series of vulnerabilities to succeed, which, while not impossible as this attack shows, requires greater capabilities and resources. “While the trend in the mobile space is toward complex exploit chains,” Lecigne said, “the iOS campaign is a good reminder that a single vulnerability can do harm and succeed.”

Mitigating watering hole attacks

“Cybersecurity arrangements must be agile and continually updated to keep up with the changing threat landscape. Cybercriminals are constantly developing new tactics, techniques and procedures to exploit vulnerabilities and bypass security controls,” said Spencer Starkey, vice president of SonicWall, “and organizations must be able to quickly adapt and respond to these threats.”

Organizations should certainly consider implementing solutions like hardware-enforced browser isolation, which moves code execution away from the end-user device and into a sandbox. “Sandboxing code execution gives the user access to the information presented on the page,” Maruyama said, “but they’re not exposed to malicious code presented when less secure government websites become watering holes.”

End users should always ensure that their devices and the applications installed on them are updated with the latest security patches.

ForbesNew Password Hacking Warning for Gmail, Facebook, Amazon Users