Recently, the Threat Analysis Team (TAG) at Google uncovered evidence of hackers, believed to be supported by the Russian government, utilizing commercial espionage tools from NSO Group and Intellexa in their attacks. The hacker group, known as APT29 or Cozy Bear, exploited zero-day vulnerabilities in iOS and Chrome to carry out attacks on Mongolian government websites, extracting sensitive data and cookies from web browsers. These vulnerabilities were originally utilized by intelligence firms such as Intellexa and NSO Group before being exploited by the APT29 group.
Between 2023 and 2024, APT29 conducted multiple attacks, targeting various entities, including users of iOS and Chrome. They employed security vulnerabilities such as CVE-2023-41993, CVE-2024-5274, and CVE-2024-4671 to execute “watering hole” attacks, a method involving the installation of malicious code on websites frequented by the target. Google has cautioned that despite commercial spy companies vowing to sell software only to governments of reputable nations, these tools are still misused by malicious actors, posing a significant threat to global cybersecurity.
The origin of these exploits used by APT29 remains uncertain. There are theories suggesting that APT29 obtained the exploits by hacking the spy companies, purchasing them from vulnerability brokers, or possibly through insider involvement within these companies. This raises concerns about the proliferation of espionage tools to government-supported threat groups and underscores the imperative to promptly patch zero-day vulnerabilities.
