Kremlin-backed cyber operatives likely targeted a slew of Mongolian government websites using exploits that mirrored those deployed by commercial spyware vendors like NSO Group and Intellexa, according to a Thursday report from Google’s Threat Analysis Group.
Between November 2023 and July 2024, the Russian government-affiliated hackers—dubbed APT29—used “watering hole” cyberattacks that target victims by surreptitiously lacing websites they often visit with malicious code, according to TAG, which assessed with “moderate confidence” that the APT29 group carried out the intrusions.
The attack methods leveraged Apple iOS and Google Chrome n-day exploits, which are vulnerabilities known to developers but have not yet been fixed. “In each iteration of the watering hole campaigns, the attackers used exploits that were identical or strikingly similar to exploits previously used by commercial surveillance vendors (CSVs) Intellexa and NSO Group,” the TAG blog post says.
“We do not know how the attackers acquired these exploits. What is clear is that APT actors are using n-day exploits that were originally used as 0-days by CSVs,” the analysis notes, referring to zero-day vulnerabilities, or system flaws that go unnoticed and get their name because developers have “zero days” to patch them once a hacker exploits them.
The report aligns with earlier findings from Google, which said in March that some 60% of spyware vendors sold their exploits to government clients in 2023.
The watering hole attacks affected Mongolia’s Cabinet Secretariat website, as well as the nation’s Ministry of Foreign Affairs page. In one case, the MFA page contained malicious code that sent Android users on Google Chrome to a site that used bugs to install malware to steal information from the user’s browser.
The attacks sought to steal cookie data, which often contains passwords and payment information, according to TAG. Mongolian cybersecurity authorities, Apple and Google’s Android and Chrome teams were notified of the incident, the threat research group said.
Spyware—covert software secretly installed on victims’ devices to monitor their activities and capture private communications—has been widely used by governments to target journalists, politicians, and dissidents worldwide. At least 74 nations have struck deals with spyware vendors, according to an analysis released last year from the Carnegie Endowment for International Peace, a Washington, D.C.-based international affairs think tank.
APT29 is a well-known Russian hacking group likely affiliated with the Kremlin’s foreign intelligence service, or SVR. It has been linked to the infamous 2020 SolarWinds Orion hack in the United States, and most recently, was found to have targeted multinational German tech firm TeamViewer SE.
It’s unclear what may have motivated Moscow’s cyberspies to acquire these exploits. Russia’s centralized economy allows the Kremlin to easily secure contracts with its private sector to develop military and intelligence assets. However, experts note that purchasing ready-made spyware products saves nations valuable time and resources, which can then be allocated to other priorities.
Intellexa was previously added to a U.S. restriction list that prohibits American firms from engaging in certain business activities with the company, due to concerns that it threatens U.S. national security and foreign policy interests. This action followed the 2021 addition of NSO Group and Candiru to the U.S. federal blacklist, after it was determined that the phone hacking tools produced by these companies were used by foreign governments to target government officials, academics, and other individuals.
The U.S. State Department in February implemented a policy that would allow the U.S. to impose visa restrictions on individuals linked to commercial spyware abuses. In early March, it unveiled the first iteration of those sanctions, hitting Intellexa and its leaders, including a former Israeli intelligence operative.
“Watering holes can still be an effective avenue for n-day exploits by mass targeting a population that might still run unpatched browsers,” TAG said. “We urge users and organizations to apply patches quickly and keep software fully up-to-date for their protection.”
