Writing in its bog. Google said it was uncertain how the Russian government acquired these exploits. However, this situation exemplifies how exploits created by spyware manufacturers can end up in the hands of "dangerous threat actors.

Google identifies the threat actors as APT29, a group of hackers widely attributed to Russia's Foreign Intelligence Service, or the SVR. APT29 is known for its highly capable and persistent campaigns aimed at espionage and data theft against various targets, including tech giants Microsoft and SolarWinds, as well as foreign governments.

Google reported finding the hidden exploit code embedded on Mongolian government websites between November 2023 and July 2024. During this period, anyone who visited these sites using an iPhone or Android device could have had their phone hacked and data stolen, including passwords, in what is known as a "watering hole" attack.

The exploits took advantage of vulnerabilities in the iPhone's Safari browser and Google Chrome on Android, which had already been patched at the time of the suspected Russian campaign. Nevertheless, these exploits could still be effective in compromising unpatched devices.