Google's Threat Analysis Group (TAG) has spotted a disturbing similarity in attack tactics used by commercial spyware vendors and Russia-linked attack gangs.
The TAG team spotted a watering hole attack – a nasty tactic that seeks crooks seed a legitimate website with malicious code – that it’s attributed to the Russia-sponsored APT29 group, which attacked Mongolia’s Cabinet server and Ministry of Foreign Affairs.
You may remember APT29, aka Cozy Bear, as the Russian government cracking mob that plundered the US Democratic National Committee servers, then went after EU government targets. The same group was behind the SolarWinds mass intrusion and in January 2024 Microsoft admitted the gang had been monitoring its internal emails.
The code left at the watering hole targeted known vulnerabilities in mobile operating systems, but the Google infosec folk noted similarities with offerings from commercial spyware vendors like NSO Group and Intellexa.
"In each iteration of the watering hole campaigns, the attackers used exploits that were identical or strikingly similar to exploits previously used by commercial surveillance vendors (CSVs) Intellexa and NSO Group," TAG noted.
- Pegasus-pusher NSO gets new owner keen on the commercial spyware biz
- Probe reveals previously secret Israeli spyware that infects targets via ads
- Houthi rebels are operating their own GuardZoo spyware
- We're likely only seeing 'the tip of the iceberg' of Pegasus spyware use against the US
Commercial spyware vendors are legitimate but controversial, and also lucrative, businesses. But they are increasingly under fire.
Meta is suing NSO Group for hacking WhatsApp users. Apple is also suing and has labelled NSO’s iCustomers "mercenary spyware."
In May key workers of Intellexa were placed under US Treasury sanctions after the discovery its surveillanceware was used to monitor American government officials and journalists. Intellexa was added to the Entity list of banned companies last year.
Google's threat finders reported on the timeline of the watering hole attack from November 2023 until it was shut down in recent months. Mongolia’s Cabinet and Foreign Affairs web servers were first infected with malware designed to exploit the recently patched CVE-2023-41993 vulnerability in iOS, a vulnerability Intellexa exploited in September of that year. Apple had fixed the issue after spotting it in use by commercial spyware maker NSO Group.
Then in May 2024 NSO began exploiting Android's V8 JavaScript engine flaw, which was patched that month. Two months later the APT29 gang were using the same vulnerability to ravage the Mongolians, in conjunction with a Chrome vulnerability fixed the same month by Google.
"While we are uncertain how suspected APT29 actors acquired these exploits, our research underscores the extent to which exploits first developed by the commercial surveillance industry are proliferated to dangerous threat actors," the TAG team concluded.
"Moreover, watering hole attacks remain a threat where sophisticated exploits can be utilized to target those that visit sites regularly, including on mobile devices." ®