Google Research Threat Analysis Group (TAG) has found evidence that Russian-backed cybercriminal APT29 used iterations of watering hole campaigns that were “identical or strikingly similar” to exploits developed by notorious spyware companies NSO Group and Intellexa.
TAG discovered that Mongolian government websites were hit by multiple campaigns earlier in 2024 after exploit code was discovered hidden in the sites. The exploits meant that anyone accessing the sites with an iPhone or Android device could potentially have their phone hacked and their data stolen.
APT29 is known for its ties to Russia’s Foreign Intelligence Service and high-profile attacks on high-profile Western targets, such as American and German government officialsas well as SolarWinds and Microsoft.
Everything is repaired
The exploit code used in the attacks on iPhones shared “the exact same trigger as the exploit used by Intellexa,” while the Android version used a “very similar trigger” to code developed by NSO Group, TAG said. A patch was available for the exploits, but the attack was still effective against unpatched devices.
It’s unclear how the hackers obtained the copy of the exploit, but it could have been purchased directly from the companies or stolen. TAG’s research doesn’t indicate that APT29 recreated the exploits organically, but that it somehow obtained the program from the spyware maker.
The The US government recently imposed sanctions the Intellexa consortium for the development and sale of the Predator spyware, which was used to target US government officials and journalists, and the NSO Group for the development of the Pegasus surveillance tool.
Earlier in 2024, Poland launched an investigation into the previous government’s use of the Israeli-developed Pegasus spyware against opposition figures.
Google recommends that users and organizations apply patches quickly and keep software fully up to date to protect against this type of attack. We have the best malware removal tools to help you stay protected.