Research from Google’s Threat Analysis Group (TAG) has found evidence Russian-backed threat actor APT29 used iterations of watering hole campaigns which were ‘identical or strikingly similar’ to exploits developed by notorious spyware companies NSO Group and Intellexa.
TAG found Mongolian government websites were hit by multiple campaigns earlier in 2024 after discovering hidden exploit codes embedded in the sites. The exploits meant anyone who used the sites using an iPhone or Android device may have had their phone hacked and data stolen.
APT29 is well-known for its links to Russia’s Foreign Intelligence Service and notable attacks on high-ranking western targets, such as US and German Government officials, as well as SolarWinds and Microsoft.
All patched up
The exploit code used in the attacks targeting iPhones shared the “exact same trigger as the exploit used by Intellexa,”, whilst the Android version used a “very similar trigger” to a code developed by NSO Group, TAG said. A patch was available for the exploits, but the attack was still effective against unpatched devices.
It’s unclear how the hackers obtained the copy of the exploit, but it could have been bought from the companies directly or stolen. TAG’s research does not indicate APT29 recreated the exploits organically, but rather somehow managed to get a hold of the spyware maker’s program.
The US government recently sanctioned the Intellexa consortium for developing and selling spyware Predator, which was used to target US government officials and journalists, and the NSO Group for its development of the Pegasus surveillance tool.
Earlier in 2024, Poland launched an investigation into the use of the Israeli-developed Pegasus spyware against opposition political figures by the previous administration.
Google recommends users and organizations apply patches quickly and keep software fully up-to-date to protect against this type of attack. We’ve listed the best malware removal tools to help you stay protected.