An investigation by Google’s Threat Analysis Group (TAG) found evidence that Russian-backed threat actor APT29 used iterations of watering hole campaigns that were “identical or strikingly similar” to exploits developed by notorious spyware firms NSO Group and Intellexa.
TAG discovered that Mongolian government websites had been targeted by multiple campaigns in early 2024 after discovering hidden exploit code embedded in the sites. The exploits meant that anyone using the sites with an iPhone or Android device could have had their phone hacked and data stolen.
APT29 is well known for its ties to the Russian Foreign Intelligence Service and its notable attacks on high-ranking Western targets, such as US and German government officialsas well as SolarWinds and Microsoft.
All patched up
The exploit code used in the attacks targeting iPhones shared “the exact same trigger as the exploit used by Intellexa,” while the Android version used a “very similar trigger” to code developed by NSO Group, TAG said. A patch was available for the exploits, but the attack was still effective against unpatched devices.
It's unclear how the hackers obtained the copy of the exploit, but it's possible they bought it directly from the companies or stole it. TAG's research doesn't indicate that APT29 recreated the exploits organically, but rather that it somehow managed to get its hands on the spyware creator's program.
He The United States government recently sanctioned Intellexa for developing and selling the Predator spyware, which was used to target US government officials and journalists, and NSO Group for its development of the Pegasus surveillance tool.
In early 2024, Poland launched an investigation into the use of Israeli-developed Pegasus spyware against opposition political figures by the previous administration.
Google recommends that users and organizations apply patches promptly and keep software fully updated to protect against these types of attacks. We have listed the following: Best malware removal tools to help keep you protected.