TLDR:
Google’s Threat Analysis Group (TAG) has found a pattern where a Kremlin-linked cyber-espionage crew and commercial spyware makers are exploiting specific security vulnerabilities in a similar manner. A crew known as APT29, believed to be directed by the Russian government, recently infected the websites of Mongolia’s Cabinet and Ministry of Foreign Affairs to exploit known flaws in Apple’s iOS and Chrome on Android. The exploit code used by this group resembles ones used by commercial spyware vendors like NSO Group and Intellexa. This raises concerns about the proliferation of dangerous exploits from the commercial surveillance industry to malicious threat actors.
Google’s Threat Analysis Group (TAG) has identified similarities between a Kremlin-linked cyber-espionage group and commercial spyware vendors, highlighting the potential sharing of exploit codes and tactics.
The APT29 group, also known as Cozy Bear and suspected to be backed by the Russian government, targeted Mongolia’s Cabinet and Ministry of Foreign Affairs websites to exploit security vulnerabilities in Apple’s iOS and Chrome on Android.
The exploit codes used by APT29 were found to be closely related to those used by commercial spyware vendors such as NSO Group and Intellexa, raising concerns about the spread of dangerous exploits to malicious actors.
This discovery underscores the ongoing threat posed by watering hole attacks, where legitimate websites are compromised to target unsuspecting visitors, including those using mobile devices.
Commercial spyware vendors like NSO Group and Intellexa have faced legal challenges and sanctions for their role in facilitating surveillance activities against individuals and organizations.
Google’s research documented the timeline of the Mongolian watering hole attack, highlighting the use of exploits that were previously detected and fixed by Apple and Google, but were subsequently leveraged by APT29.