cognitive cybersecurity intelligence

News and Analysis

Search

Google reports NSO Group exploit used by Russian group to target Mongolian government

Hey there, folks! I’ve got some cybersecurity news to share straight from our beautiful Bay area. This is particularly relevant if you are in healthcare or cybersecurity circles – or simply interested in understanding the complex web we’re all navigating in the digital world. Let’s talk about a security incident involving websites run by the Mongolian government.

Now remember, no one is pointing fingers yet, but Google security researchers have identified signs of a hacking campaign and linked it to our far-off neighbors in Russia. Interestingly, the technology used in the campaign is called an exploit and it’s strikingly similar to those developed and sold by Intellexa and NSO Group – you might know them as commercial surveillance vendors.

What I found remarkable about this campaign is that it’s a classic “watering hole” scenario. For those of you who aren’t aware, a watering hole attack is a method where attackers infiltrate the popular online spaces of their intended targets. In this case, the would-be victims were likely groups of people who frequently visited the compromised Mongolian government websites.

It seems the campaign started in November 2023 and lasted all the way till July 2024, installing malicious code on the websites for Mongolia’s Ministry of Foreign Affairs and the country’s cabinet. At first, it looked like the hackers were targeting iPhone users. Later, however, they also added versions to target Android and Chrome users.

Here’s the heads up for all you iPhone users out there – if you’re running versions 16.6.1 or older, you could have been vulnerable. Applicable patches have been released, but you might have been in hot water if you didn’t update your devices on time.

Google’s Threat Analysis Group (TAG), the tech company’s very own digital detectives, identified a connection between this incident and a previous campaign run by the same group. The attacks didn’t just serve as a disruption – the hackers were also trying to steal browser cookies from these devices! If you didn’t know, browser cookies often have login credentials and other sensitive data.

Our friends at the TAG compared this exploit to one used by Intellexa, and guess what they found? Both exploits had the exact same trigger. Remember the legendary spyware manufacturer that Uncle Sam blacklisted a while back? Yes, that’s Intellexa!

Now, I can imagine what you might be thinking: “Could the Russian group have straight-up copied the exploits?” It’s a good question – but the answer isn’t so straightforward. The exploit used against Android devices, for instance, was altered and put to use in a way that wasn’t seen with the Apple devices. So, things aren’t as clear as they seem.

The most alarming part of the picture? Aside from stealing cookies, the bad guys were after a whole lot more. They were trying to siphon off account data like credit cards, stored passwords in Chrome, and even users’ browsing history.

Do keep in mind that while watering hole attacks might seem sophisticated, they remain a formidable threat, especially for those that regularly visit certain sites – including on mobile devices. What’s clear is that the landscape is evolving – some of these so-called Advanced Persistent Threat groups are experimenting with exploits that were once exclusively used by commercial vendors.

It’s amazing to think about how everything is interconnected in this digital age. At the end of the day, this news is just another reminder of how critical it is to stay one step ahead and safeguard our digital lives. As we navigate our way through the complexities of the technology landscape, remember to keep your cyber guard up, folks!

by Morgan Phisher | HEAL Security

Subscribe to newsletter

Subscribe to HEAL Security Dispatch for the latest healthcare cybersecurity news and analysis.

More Posts