A report from Google researchers has revealed that APT29 hacking campaigns and spyware developers have used similar infiltration techniques.
Also known as Cozy Bear, Midnight Blizzard, and Nobelium, the threat actors are thought to be state-sponsored by Russia, and were responsible for the password spraying attack on Microsoft earlier this year.
Google’s Threat Analysis Group observed the activity of APT29 between November 2023 and July 2024, including a watering hole impact on websites belonging to the government of Mongolia. The hackers used similar techniques deployed by commercial vendors such as NSO Group and Intellexa, with the website penetration enabling spyware with a browser cookie stealer on iPhones and Android smartphones.
The Google research team further assessed the methods used by the Russian hackers to attack the iOS and Android software, with a concerning discovery. They found ‘exploits’ that were “identical or strikingly similar to exploits previously used by commercial surveillance vendors (CSVs) Intellexa and NSO Group,” suggesting a link between APT29 and commercial entities known to sell hacking know-how to governments.
Exploits Used After iOS, Android Flaws Were Discovered And Patched
Intellexa and NSO Group have previously attracted attention for developing their respective Predator and Pegasus spyware tools, sometimes used by government and law enforcement agencies to spy on dissidents, activists, and other countries.
It’s not clear if the hackers infiltrated the commercial providers, replicated techniques, or were in contact with the companies. “We do not know how the attackers acquired these exploits,” said Google researcher Clement Lecigne.
For now, it’s only known that they used similar techniques. Google’s research showed that the hackers were using the intelligence to attack vulnerabilities in iOS’s WebKit and Google’s Chrome weeks after OS developers identified and patched them.