According to Google, hackers backed by the Kremlin are using exploits from commercial spyware vendors

According to Google, hackers backed by the Kremlin are using exploits from commercial spyware vendors

Getty Images

Critics of spyware and exploit vendors have long warned that the advanced hacking tools sold by commercial surveillance vendors (CSVs) pose a global danger because they inevitably end up in the hands of malicious parties, even if the CSVs promise they will only be used against known criminals. On Thursday, Google analysts presented evidence backing up the criticism after finding that spies working for the Kremlin used exploits that are “identical or strikingly similar” to those sold by spyware makers Intellexa and NSO Group.

The hacking group, tracked under names such as APT29, Cozy Bear and Midnight Blizzard, is believed to be working on behalf of Russia's foreign intelligence service SVR. Researchers at Google's Threat Analysis Group, which tracks government hacking, said Thursday they observed APT29 using exploits identical or very similar to those first used by commercial exploit vendors NSO Group of Israel and Intellexa of Ireland. In both cases, the commercial surveillance vendors' exploits were first used as zero-day exploits, meaning when the vulnerabilities were not yet publicly known and no patch was available.

Identical or strikingly similar

When patches for the vulnerabilities became available, TAG said APT29 used the exploits for watering hole attacks, which involve infecting targets by secretly placing exploits on websites known to be frequently visited. TAG said APT29 used the exploits as N-day attacks, targeting vulnerabilities that were recently patched but not yet installed by many users.

“In each iteration of the Watering Hole campaigns, attackers used exploits that were identical or strikingly similar to exploits used by CSVs, Intellexa, and NSO Group,” wrote Clement Lecigne of TAG. “We do not know how attackers obtained these exploits. What is clear is that APT actors are using N-day exploits that were originally used by CSVs as 0-day exploits.”

In one case, Lecigne said, TAG observed APT29 compromising the Mongolian government website mfa.gov.[.]mn and cabinet.gov[.]mn and placed a link that loaded code that exploited CVE-2023-41993, a critical flaw in the WebKit browser engine. The Russian agents used the vulnerability, which was loaded onto the websites in November, to steal browser cookies that they could use to access online accounts of targets they wanted to compromise. The Google analyst said the APT29 exploit “used the exact same trigger” as an exploit used by Intellexa in September 2023, before CVE-2023-41993 was fixed.

Lucigne provided the following image, which shows a comparison of the code used in each attack.

A side-by-side comparison of the code used by APT29 in November 2023 and Intellexa in September of the same year.
Enlarge / A side-by-side comparison of the code used by APT29 in November 2023 and Intellexa in September of the same year.

Google TAG

APT29 used the same exploit again in February this year in a watering hole attack on the Mongolian government website mga.gov.[.]min.

In July 2024, APT29 launched a new cookie-stealing attack on mga.gov[.]me. It exploited CVE-2024-5274 and CVE-2024-4671, two N-day vulnerabilities in Google Chrome. Lucigne said APT29's CVE-2024-5274 exploit was a slightly modified version of the exploit used by NSO Group in May 2024, when it was still a zero-day exploit. The exploit for CVE-2024-4671, meanwhile, contained many similarities to CVE-2021-37973, an exploit Intellexa had previously used to bypass Chrome sandbox protection.

The timeline of the attacks is shown below:

Google TAG

As mentioned above, it is unclear how APT29 might have obtained the exploits. Possible sources include malicious insiders at the CSVs or brokers who worked with the CSVs, hackers who stole the code, or outright purchases. Both companies defend their business by promising to only sell exploits to governments of countries that are considered globally reputable. The evidence uncovered by TAG suggests that despite these assurances, the exploits are finding their way into the hands of state-backed hacking groups.

“While we are not sure how the suspected APT29 actors obtained these exploits, our investigation underscores the extent to which exploits first developed by the commercial surveillance industry are being passed on to dangerous threat actors,” Lucigne wrote.

Leave a Reply