Spyware, Russia’s Cozy Bear seem to share same exploits

Google’s Threat Analysis Group (TAG) has spotted an interesting pattern: A Kremlin-linked cyber-espionage crew and commercial spyware makers exploiting specific security vulnerabilities in pretty much the same way.

The TAG team reckon a crew dubbed APT29, said to be directed by the Russian government, infected the websites of Mongolia’s Cabinet and Ministry of Foreign Affairs to exploit known flaws in Apple’s iOS and Chrome on Android in order to hijack devices of the sites’ visitors. This tactic is known as a watering hole attack, in which a legit site that valuable netizens often visit is compromised so it can be used to in turn compromise those targets.

You may remember APT29, aka Cozy Bear, as the suspected Russian government cyber-spies that plundered US Democratic National Committee servers, and went after European government targets. The same group was behind the SolarWinds supply chain backdoor, and in January 2024 Microsoft admitted the gang had been monitoring its internal emails.

According to the Googlers, the exploit code quietly deployed at the Mongolian watering hole to takeover devices was pretty close to offerings from commercial spyware vendors such as NSO Group and Intellexa. Fancy that.

“In each iteration of the watering hole campaigns, the attackers used exploits that were identical or strikingly similar to exploits previously used by commercial surveillance vendors (CSVs) Intellexa and NSO Group,” TAG noted today.

Commercial spyware vendors are controversial and lucrative businesses. They are also increasingly under fire.

Meta is suing NSO Group for compromising WhatsApp users. Apple is also suing, and has essentially labelled NSO’s software “mercenary spyware.”

In May key workers of Intellexa were placed under US Treasury sanctions after its surveillanceware was, we’re told, used to monitor American government officials and journalists. Intellexa was added to Uncle Sam’s Entity list of unwelcome companies last year.

Google’s threat finders documented the timeline of the Mongolian watering hole attack from November 2023 until it was shut down in recent months. Mongolia’s Cabinet and Foreign Affairs web servers were first infected with malware designed to exploit the recently patched CVE-2023-41993 vulnerability in iOS, a flaw Intellexa exploited in September of that year. Apple had fixed the issue after spotting it in use by commercial spyware maker NSO Group.

Then in May 2024 NSO began exploiting Android’s V8 JavaScript engine flaw, which was patched that month. Two months later the APT29 gang were using the same vulnerability to ravage visitors to the Mongolian sites, in conjunction with a Chrome vulnerability fixed the same month by Google.

“While we are uncertain how suspected APT29 actors acquired these exploits, our research underscores the extent to which exploits first developed by the commercial surveillance industry are proliferated to dangerous threat actors,” the TAG team concluded.

“Moreover, watering hole attacks remain a threat where sophisticated exploits can be utilized to target those that visit sites regularly, including on mobile devices.” ®