Spyware Proliferation Fuels Espionage

In recent years, commercial spyware vendors like Intellexa and NSO Group have developed sophisticated hacking tools that exploit “zero-day” vulnerabilities — previously undiscovered and unpatched software flaws — to breach victim devices. Governments around the world have become significant buyers of these tools, deploying them against opposition leaders, journalists, activists, and others. However, new findings from Google’s Threat Analysis Group (TAG) indicate that Russia’s APT29, also known as Cozy Bear, has started using similar exploits in its espionage operations.

Between November 2023 and July 2024, APT29 compromised Mongolian government websites and utilized them for “watering hole” attacks. In these attacks, any visitor with a vulnerable device could be hacked. The malicious infrastructure employed exploits that were either identical or closely related to those previously used by Intellexa and NSO Group. Even though these vulnerabilities had been patched, the Russian hackers targeted devices that had not yet been updated. TAG researchers suggest that APT29 likely adapted or acquired these commercial spyware tools, highlighting the dangerous spread of such exploits to advanced threat actors.

These hacking campaigns involved n-day exploitation, where attackers exploit vulnerabilities that, though patched, still exist in devices that haven’t been updated. APT29’s use of commercial spyware tools is distinct from typical scenarios, showcasing a level of technical expertise and adaptability characteristic of a well-funded, state-sponsored group.

NSO Group has denied selling its products to Russia, stating that its technologies are exclusively sold to vetted intelligence and law enforcement agencies aligned with the US and Israel. Nevertheless, the TAG findings underscore the persistent threat posed by watering hole attacks, particularly as state-sponsored groups increasingly employ sophisticated commercial spyware for espionage purposes.