In recent years, elite commercial spyware vendors such as Intellexa and NSO Group have developed a number of powerful hacking tools that exploit rare, unpatched “zero-day” software vulnerabilities to compromise victims’ devices. And increasingly, governments around the world have emerged as major customers for these tools, compromising the smartphones of opposition leaders, journalists, activists, lawyers and others. However, on Thursday, Google’s Threat Analysis Group publication of findings about a series of recent hacking campaigns, apparently carried out by the notorious Russian APT29 gang Cozy Bear, which incorporate exploits very similar to those developed by Intellexa and NSO Group in their ongoing espionage activity.
Between November 2023 and July 2024, attackers compromised Mongolian government websites and used the access to carry out “watering hole” attacks, in which anyone with a vulnerable device who loads a compromised website is targeted. The attackers configured the malicious infrastructure to use exploits that “were identical or strikingly similar to exploits previously used by commercial surveillance vendors Intellexa and NSO Group,” Google’s TAG wrote on Thursday. The researchers say they “assess with moderate confidence” that the campaigns were carried out by APT29.
These spyware-like hacking tools exploited vulnerabilities in Apple’s iOS and Google’s Android that had already been largely patched. Originally, spyware vendors used them as unpatched zero-day exploits, but in this iteration, the suspected Russian hackers used them to target devices that had not been updated with these fixes.
“While we are not sure how the suspected APT29 actors acquired these exploits, our research highlights the extent to which exploits initially developed by the commercial surveillance industry are being spread to dangerous threat actors,” TAG researchers wrote. “Furthermore, watering hole attacks remain a threat where sophisticated exploits can be used to target those who regularly visit sites, including on mobile devices. Watering holes may still be an effective avenue to… massively target a population that might still be using unpatched browsers.”
Hackers may have purchased and adapted spyware exploits, or stolen or acquired them through a leak. It is also possible that hackers were inspired by commercial exploits and reverse engineered them by examining infected victim devices.
Between November 2023 and February 2024, hackers used an iOS and Safari exploit that was technically identical to an offering that Intellexa had first introduced a couple of months earlier as an unpatched zero-day in September 2023. In July 2024, hackers also used a Chrome exploit adapted from an NSO Group tool that first appeared in May 2024. This latter hacking tool was used in combination with an exploit that bore strong similarities to one that Intellexa introduced in September 2021.
When attackers exploit vulnerabilities that have already been patched, the activity is known as “n-day exploitation,” because the vulnerability still exists and can be abused on unpatched devices over time. The alleged Russian hackers incorporated commercial spyware-adjacent tools, but they crafted their overall campaigns (including malware distribution and activity on compromised devices) differently than the typical commercial spyware customer would. This indicates a level of fluency and technical competence characteristic of an established, well-resourced, state-backed hacking group.
“In each iteration of the watering hole campaigns, the attackers used exploits that were either identical or strikingly similar to exploits from[commercial surveillance vendors]Intellexa and NSO Group,” TAG wrote. “We do not know how the attackers acquired these exploits. What is clear is that APT actors are using n-day exploits that were originally used as 0-days by CSV.”
