Commercial Spyware Vendors Have a Copycat in Top Russian APT

Multiple exploit campaigns linked to a Russian-backed threat actor (variously known as APT29, Cozy Bear, and Midnight Blizzard) were discovered delivering n-day mobile exploits that commercial spyware vendors have used before.

According to Google's Threat Analysis Group (TAG), the exploit campaigns were delivered "from a watering hole attack on Mongolian government websites," and each one is identical to exploits previously used by commercial surveillance vendors (CSVs) Intellexa and NSO Group. That suggests, as the researchers at Google TAG note, that the authors and/or providers are the same.

In the watering-hole attacks, threat actors infected two websites, cabinet.gov[.]mn and mfa.gov[.]mn, which belong to Mongolia's Cabinet and Ministry of Foreign Affairs. They then injected code to exploit known flaws in iOS and Chrome on Android, with the ultimate goal of hijacking website visitors' devices. 

The campaigns popped up on three separate occasions, one of which occurred at the end of last year, and the latest just a month ago. Two of the campaigns delivered an iOS exploit through a vulnerability tracked as CVE-2023-41993 that recently had been patched, but not before being exploited by Intellexa and NSO Group.

"We do not know how the attackers acquired these exploits," said the researchers. "What is clear is that APT actors are using n-day exploits that were originally used as 0-days by CSVs. It should be noted that outside of common exploit usage, the recent watering hole campaigns otherwise differed in their approaches to delivery and second-stage objectives."

The researchers go on to add that though there are still outstanding questions as to how the exploits were acquired, this does highlight how exploits developed first by the commercial surveillance industry become even more of a threat as threat actors come across them.