Russian State Hackers Using Commercial Spyware Exploits

A Russian state-sponsored hacker group, known as APT29 or "Cozy Bear," has been caught leveraging exploits initially developed by commercial spyware vendors NSO Group and Intellexa. This latest campaign, which ran from November 2023 to July 2024, targeted visitors to Mongolian government websites who were using unpatched iOS and Android devices.

Google's Threat Analysis Group (TAG) uncovered these activities, which involved "watering hole" attacks — a technique where attackers compromise legitimate websites to deliver malicious payloads to unsuspecting visitors. In this case, APT29 used exploits that were “strikingly similar to exploits previously used by commercial surveillance vendors (CSVs) Intellexa and NSO Group.”

The attacks focused on vulnerabilities in Safari and Google Chrome. These vulnerabilities had already been patched, but devices that had not been updated were still at risk. The hackers aimed to steal sensitive data, including user cookies and passwords, which could be used to access government accounts.

Google's researchers highlighted the uncertainty surrounding how APT29 obtained these exploits. However, they said that “research underscores the extent to which exploits first developed by the commercial surveillance industry are proliferated to dangerous threat actors."

NSO Group stated that they "do not sell [their] products to Russia" and insisted that their technologies are sold exclusively to vetted intelligence and law enforcement agencies aligned with the US and Israel.

This incident marks yet another chapter in the ongoing saga of state-sponsored cyber espionage, with APT29 continuing its long history of high-profile attacks. Previously, the group was linked to the SolarWinds hack and the breach of the US Democratic National Committee servers.

In light of these ongoing threats, Google emphasizes the critical importance of maintaining up-to-date software. "Watering hole attacks remain a threat where sophisticated exploits can be utilized to target those that visit sites regularly, including on mobile devices," Google’s TAG cautioned.

As cyber threats continue to evolve, incidents like the recent imprisonment of a Russian hacker for selling over 300,000 stolen credentials illustrate the persistent danger posed by cybercriminals. This latest incident shows the urgent need for robust cybersecurity measures to protect both governments and individuals from increasingly sophisticated attacks.