Russian government hackers found using exploits made by spyware companies NSO and Intellexa | TechCrunch (2024)

Google says it has evidence that Russian government hackers are using exploits that are “identical or strikingly similar” to those previously made by spyware makers Intellexa and NSO Group.

In a blog post on Thursday, Google said it is not sure how the Russian government acquired the exploits, but said this is an example of how exploits developed by spyware makers can end up in the hands of “dangerous threat actors.”

In this case, Google says the threat actors are APT29, a group of hackers widely attributed to Russia’s Foreign Intelligence Service, or the SVR. APT29 is a highly capable group of hackers, known for its long-running and persistent campaigns aimed at conducting espionage and data theft against a range of targets, including tech giants Microsoft and SolarWinds, as well as foreign governments.

Google said it found the hidden exploit code embedded on Mongolian government websites between November 2023 and July 2024. During this time, anyone who visited these sites using an iPhone or Android device could have had their phone hacked and data stolen, including passwords, in what is known as a “watering hole” attack.

The exploits took advantage of vulnerabilities in the iPhone’s Safari browser and Google Chrome on Android that had already been fixed at the time of the suspected Russian campaign. Still, those exploits nevertheless could be effective in compromising unpatched devices.

According to the blog post, the exploit targeting iPhones and iPads was designed to steal user account cookies stored in Safari specifically across a range of online email providers that host the personal and work accounts of the Mongolian government. The attackers could use the stolen cookies to then access those government accounts. Google said the campaign aimed at targeting Android devices used two separate exploits together to steal user cookies stored in the Chrome browser.

Google security researcher Clement Lecigne, who authored the blog post, told TechCrunch that it is not known for certain who the Russian government hackers were targeting in this campaign. “But based on where the exploit was hosted and who would normally visit these sites, we believe that Mongolian government employees were a likely target,” he said.

Lecigne, who works for Google’s Threat Analysis Group, the security research unit that investigates government-backed cyber threats, said Google is linking the reuse of the code to Russia because the researchers previously observed the same cookie-stealing code used by APT29 during an earlier campaign in 2021.

Russian government hackers found using exploits made by spyware companies NSO and Intellexa | TechCrunch (1)

A key question remains: How did the Russian government hackers obtain the exploit code to begin with? Google said both iterations of the watering hole campaign targeting the Mongolian government used code resembling or matching exploits from Intellexa and NSO Group. These two companies are known for developing exploits capable of delivering spyware that can compromise fully patched iPhones and Android phones.

Google said the exploit code used in the watering hole attack targeting Chrome users on Android shared a “very similar trigger” with an exploit developed earlier by NSO Group. In the case of the exploit targeting iPhones and iPads, Google said the code used the “exact same trigger as the exploit used by Intellexa,” which Google said strongly suggested that the exploit authors or providers “are the same.”

When asked by TechCrunch about the reuse of exploit code, Lecigne said: “We do not believe the actor recreated the exploit,” ruling out the likelihood that the exploit was independently discovered by the Russian hackers.

“There are multiple possibilities as to how they could have acquired the same exploit, including purchasing it after it was patched or stealing a copy of the exploit from another customer,” said Lecigne.

NSO Group did not respond to TechCrunch’s inquiry prior to publication. In a statement provided after publication, NSO spokesperson Gil Lainer said: “NSO does not sell its products to Russia. Our technologies are sold exclusively to vetted U.S. & Israel-allied intelligence and law enforcement agencies. Our systems and technologies are highly secure and are continuously monitored to detect and neutralize external threats.”

TechCrunch contacted the Russian Embassy in Washington, DC and Mongolia’s Permanent Mission to the United Nations in New York for comment, but did not hear back by press time. Intellexa could not be reached for comment. Apple spokesperson Shane Bauer did not respond to a request for comment.

Google said users should “apply patches quickly” and keep software up-to-date to help prevent malicious cyberattacks. According to Lecigne, iPhone and iPad users with the high-security feature Lockdown Mode switched on were not affected even when running a vulnerable software version.

Updated with post-publish response from NSO.

Russian government hackers found using exploits made by spyware companies NSO and Intellexa | TechCrunch (2024)
Top Articles
16 Top-Rated Attractions & Things to Do in Providence, RI
Providence – Travel guide at Wikivoyage
Zachary Zulock Linkedin
monroe, LA housing - craigslist
Subfinder Online
Gateway Login Georgia Client Id
Busted Newspaper Longview Texas
Chs.mywork
Thomas Funeral Home Sparta Nc
Great Clips Coupons → 20% Off | Sep 2024
Ts Egypt Dmarco
Kinoprogramm für Berlin und Umland
Members Mark Ham Cooking Instructions Recipes with ingredients,nutritions,instructions and related recipes
Coffey Funeral Home Tazewell Tn Obituaries
Dmv Leestown Rd
Eztv Ig
Best Amsterdam Neighborhoods for Expats: Top 9 Picks
Www.burlingtonfreepress.com Obituaries
April 7 Final Jeopardy
Toothio Login
Kplctv Weather Forecast
H. P. Lovecraft - Deutsche Lovecraft Gesellschaft
Ohio Road Construction Map
Axolotls for Sale - 10 Online Stores You Can Buy an Axolotl - Axolotl Nerd
Unmhealth My Mysecurebill
Winvic First UK Contractor to Use Innovative Technology that Operates Tower Cranes from the Ground
Midsouthshooters Supply
Lucky Dragon Net
Карта слов и выражений английского языка
Jockey Standings Saratoga 2023
Modesto Personals Craigslist
Hingham Police Scanner Wicked Local
10 Top-Rated Tourist Attractions in Negril
Partnerconnect Cintas Alight
Does Walmart have Affirm program? - Cooking Brush
Ups Customer Center Locations
Ohio Licensing Lookup
Lvpg Orthopedics And Sports Medicine Muhlenberg
House Party 2023 Showtimes Near Mjr Chesterfield
Ny Lottery Second Chance App
Pokeclicker Pikablu
1984 Argo JM16 GTP for sale by owner - Holland, MI - craigslist
Payback Bato
Santa On Rakuten Commercial
Transactions on Computational Social Systems - IEEE SMC
Delta Rastrear Vuelo
Craigslist Free Stuff Bellingham
Gotham Chess Twitter
The Complete History Of The Yahoo Logo - Hatchwise
Make Monday Better: Dive Into These Hilarious Monday Memes!
18006548818
How to Screenshot on Cash App: A Complete Guide
Latest Posts
Article information

Author: Mr. See Jast

Last Updated:

Views: 6179

Rating: 4.4 / 5 (75 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Mr. See Jast

Birthday: 1999-07-30

Address: 8409 Megan Mountain, New Mathew, MT 44997-8193

Phone: +5023589614038

Job: Chief Executive

Hobby: Leather crafting, Flag Football, Candle making, Flying, Poi, Gunsmithing, Swimming

Introduction: My name is Mr. See Jast, I am a open, jolly, gorgeous, courageous, inexpensive, friendly, homely person who loves writing and wants to share my knowledge and understanding with you.