We assess with moderate confidence the campaigns are linked to the Russian government-backed actor APT29.
Googles investigation found that the threat actor embedded malicious codes on Mongolian government websites, cabinet.gov[.
]mn and mfa.gov[.
For instance, the November 2023 (cabinet.gov[.
]mn and mfa.gov[.
]mn) and February 2024 (mfa.gov[.
The payload was the same cookie stealer framework that TAGpreviously observedbeing used in 2021 in a suspected APT29 campaign.
Users withlockdown modeenabled were not affected even when running a vulnerable iOS version.
In July 2024, mfa.gov[.
All three vulnerabilities mentioned above have been exploited before by either NSO Group or Intellexa.
However, it remains unclear how APT29 gained initial access to the commercially available spyware.
source: www.techworm.net
