Russian Hackers Exploit Commercial Spyware Techniques to Target Multiple Websites

Sophia Taylor

By Sophia Taylor

Published:

In a recent discovery, Google researchers have linked a Russian government-backed hacking group, APT29 (also known as Cozy Bear), to a series of attacks that compromised smartphones in a sophisticated campaign. These attacks targeted both iPhone and Android users, borrowing techniques from notorious commercial spyware vendors like NSO Group and Intellexa.

The campaign ran from November 2023 to July 2024, using compromised Mongolian government websites to deliver malicious software. Known as a “watering hole” attack, this method redirected users visiting these sites to hacker-controlled domains that delivered spyware. The campaign initially targeted iPhone users with an iOS exploit and later shifted to Android users, exploiting vulnerabilities in Google Chrome.

A concerning aspect of this attack is the reuse of exploits originally developed by commercial surveillance vendors. APT29 used methods strikingly similar to those deployed by NSO Group’s Pegasus spyware and Intellexa’s Predator tools. These surveillance technologies have historically been used by governments to spy on dissidents and political figures. The question remains as to how these exploits made their way into the hands of Russian state-sponsored hackers.

Fig 1: The attack chain used to target iOS devices. Source: Google

The attacks primarily aimed to steal browser cookies, allowing the hackers to access accounts and sensitive information from websites like Google, Facebook, and Microsoft. Despite the fact that patches are now available to fix these vulnerabilities, many users remain unprotected, allowing the exploits to succeed.

The incident underscores the danger posed by the proliferation of spyware techniques from commercial vendors. The fact that these tools are now being used by state-sponsored hackers highlights a growing need for increased security measures and timely updates. Google’s Threat Analysis Group has urged users to ensure their devices are up to date with the latest software patches.

Fig 2: The triggers used in this attack (left) compared with those used by NSO’s Pegasus (right). Source: Google

While the extent of the connection between the Russian hackers and the spyware vendors remains unclear, it is evident that these tools continue to be exploited for malicious purposes. This raises significant concerns about the future of cybersecurity, as the line between state-sponsored and commercial spyware becomes increasingly blurred.

In response, major tech companies like Apple and Google are working to mitigate these threats, implementing security features such as Site Isolation in Chrome and regularly releasing security updates. Users are strongly encouraged to update their devices as soon as patches become available to avoid falling victim to these types of attacks.