In recent years, top-tier commercial spyware companies such as Intellexa and NSO Group have created sophisticated hacking tools exploiting rare and unpatched “zero-day” software vulnerabilities to infiltrate devices. More and more, governments around the world are becoming the main purchasers of these tools, targeting the smartphones of opposition figures, journalists, activists, lawyers, and others. On Thursday, Google’s Threat Analysis Group is releasing findings about a series of recent hacking operations—apparently run by Russia’s infamous APT29 Cozy Bear group—that utilize exploits very similar to those crafted by Intellexa and NSO Group in ongoing spy activities.
From November 2023 to July 2024, the perpetrators breached Mongolian government websites and leveraged this access to launch “watering hole” attacks, where any user with a vulnerable device visiting a compromised website becomes a victim of hacking. The attackers established malicious infrastructure utilizing exploits that “were identical or strikingly similar to those previously used by commercial surveillance vendors Intellexa and NSO Group,” as per Google’s TAG. The researchers “assess with moderate confidence” that these campaigns were orchestrated by APT29.
These spyware-like hacking tools took advantage of vulnerabilities in Apple’s iOS and Google’s Android that were largely already fixed. Initially, they were used by the spyware vendors as unpatched, zero-day exploits, but in these instances, the suspected Russian hackers employed them to target devices that had not been updated with these patches.
“While we cannot confirm how suspected APT29 actors obtained these exploits, our research highlights the degree to which exploits initially developed by the commercial surveillance industry have been shared with dangerous adversaries,” commented the TAG researchers. “Furthermore, watering hole attacks continue to pose a risk where advanced exploits can be used to target frequent site visitors, including those on mobile devices. Watering holes can still effectively facilitate widespread targeting of a demographic that might still use unpatched browsers.”
There is a possibility that the hackers either bought and modified spyware exploits, came into possession of them through theft or leaks, or they could have taken inspiration from commercial exploits and reverse engineered them after examining devices that had been compromised.
“NSO does not sell its products to Russia,” stated Gil Lainer, the vice president for global communications at NSO Group, in an interview with WIRED. “Our technology is exclusively sold to intelligence and law enforcement agencies that are allies of the US and Israel. We ensure our systems and technologies are secure and under continuous surveillance to prevent and mitigate threats from outside sources.”
From November 2023 to February 2024, the hackers utilized an iOS and Safari exploit nearly identical to one that Intellexa initially introduced as an unpatched zero-day in September 2023. In July 2024, the hackers also deployed a Chrome exploit that was derived from a tool originally developed by NSO Group in May 2024. This particular exploit was used alongside another that bore significant resemblance to one released by Intellexa in September 2021.
There is a concept known as “n-day exploitation,” which occurs when attackers target vulnerabilities that have been previously patched. This action underlines the likelihood of ongoing risk and exploitation possibilities on devices that remain unpatched over time. The Russian hackers in question used tools similar to commercial spyware, but orchestrated their campaigns — from the delivery of malware to the activities on infected devices — in ways that diverge from typical commercial spyware usage, suggesting a sophisticated and resource-rich state-backed hacking entity behind the operations.
“In each iteration of the watering hole campaigns, the attackers used exploits that were identical or strikingly similar to exploits from commercial surveillance vendors, Intellexa and NSO Group,” TAG wrote. “We do not know how the attackers acquired these exploits. What is clear is that APT actors are using n-day exploits that were originally used as 0-days by CSVs.”
Updated at 2pm ET, August 29, 2024: Added comment from NSO Group.