Spyware fuels government cyber attacks

August 31, 2024
1 min read

TLDR:

Google’s Threat Analysis Group (TAG) has found a pattern where a Kremlin-linked cyber-espionage crew and commercial spyware makers are exploiting specific security vulnerabilities in a similar manner. A crew known as APT29, believed to be directed by the Russian government, recently infected the websites of Mongolia’s Cabinet and Ministry of Foreign Affairs to exploit known flaws in Apple’s iOS and Chrome on Android. The exploit code used by this group resembles ones used by commercial spyware vendors like NSO Group and Intellexa. This raises concerns about the proliferation of dangerous exploits from the commercial surveillance industry to malicious threat actors.

Google’s Threat Analysis Group (TAG) has identified similarities between a Kremlin-linked cyber-espionage group and commercial spyware vendors, highlighting the potential sharing of exploit codes and tactics.

The APT29 group, also known as Cozy Bear and suspected to be backed by the Russian government, targeted Mongolia’s Cabinet and Ministry of Foreign Affairs websites to exploit security vulnerabilities in Apple’s iOS and Chrome on Android.

The exploit codes used by APT29 were found to be closely related to those used by commercial spyware vendors such as NSO Group and Intellexa, raising concerns about the spread of dangerous exploits to malicious actors.

This discovery underscores the ongoing threat posed by watering hole attacks, where legitimate websites are compromised to target unsuspecting visitors, including those using mobile devices.

Commercial spyware vendors like NSO Group and Intellexa have faced legal challenges and sanctions for their role in facilitating surveillance activities against individuals and organizations.

Google’s research documented the timeline of the Mongolian watering hole attack, highlighting the use of exploits that were previously detected and fixed by Apple and Google, but were subsequently leveraged by APT29.

Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and