Commercial Spyware Vendors Have a Copycat in Top Russian APT

Russia's Midnight Blizzard infected Mongolian government websites to try to compromise the devices of visitors, using watering-hole tactics.

Dark Reading Staff, Dark Reading

August 30, 2024

2 Min Read
Storks and white pelicans at a watering hole in Tanzania.
Source: GH Photos via Alamy Stock Photo

Multiple exploit campaigns linked to a Russian-backed threat actor (variously known as APT29, Cozy Bear, and Midnight Blizzard) were discovered delivering n-day mobile exploits that commercial spyware vendors have used before.

According to Google's Threat Analysis Group (TAG), the exploit campaigns were delivered "from a watering hole attack on Mongolian government websites," and each one is identical to exploits previously used by commercial surveillance vendors (CSVs) Intellexa and NSO Group. That suggests, as the researchers at Google TAG note, that the authors and/or providers are the same.

In the watering-hole attacks, threat actors infected two websites, cabinet.gov[.]mn and mfa.gov[.]mn, which belong to Mongolia's Cabinet and Ministry of Foreign Affairs. They then injected code to exploit known flaws in iOS and Chrome on Android, with the ultimate goal of hijacking website visitors' devices. 

The campaigns popped up on three separate occasions, one of which occurred at the end of last year, and the latest just a month ago. Two of the campaigns delivered an iOS exploit through a vulnerability tracked as CVE-2023-41993 that recently had been patched, but not before being exploited by Intellexa and NSO Group.

"We do not know how the attackers acquired these exploits," said the researchers. "What is clear is that APT actors are using n-day exploits that were originally used as 0-days by CSVs. It should be noted that outside of common exploit usage, the recent watering hole campaigns otherwise differed in their approaches to delivery and second-stage objectives."

The researchers go on to add that though there are still outstanding questions as to how the exploits were acquired, this does highlight how exploits developed first by the commercial surveillance industry become even more of a threat as threat actors come across them. 

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights