Russian government hackers discovered using exploits created by spyware companies NSO and Intellexa

Google says it has evidence that Russian government hackers are using exploits “the same or strikingly similar” to those previously created by spyware makers Intellexa and NSO Group.

In a blog post Thursday, Google said it was not sure how the Russian government obtained the exploits, but said they were an example of how exploits developed by spyware creators can end up in the hands of “dangerous threat actors.”

In this case, Google claims that the threat actors are APT29, a hacking group widely attributed to Russia’s Foreign Intelligence Service (SVR). APT29 is a highly skilled hacking group known for its long-running and persistent campaigns to conduct espionage and data theft against a number of targets, including tech giants Microsoft and SolarWinds, as well as foreign governments.

Google said it found the hidden exploit code embedded in Mongolian government websites between November 2023 and July 2024. During that time, anyone who visited the sites using an iPhone or Android device could have had their phone hacked and their data, including passwords, stolen in what is known as a “watering hole” attack.

These exploits took advantage of vulnerabilities in the iPhone’s Safari browser and Google Chrome on Android, which had already been patched at the time of the alleged Russian campaign. However, these exploits could be effective in compromising unpatched devices.

According to the blog post, the exploit targeting iPhones and iPads was designed to steal user account cookies stored in Safari, specifically on a range of online email providers that host the Mongolian government’s personal and business accounts. Attackers could use the stolen cookies to then gain access to those government accounts. Google said the campaign targeting Android devices used two separate exploits to steal user cookies stored in the Chrome browser.

Clement Lecigne, a Google security researcher and author of the paper, told TechCrunch that it’s unclear who the Russian government hackers were targeting in this campaign. “But based on where the exploit was hosted and who typically visited these sites, we believe Mongolian government employees were a likely target,” he said.

Lecigne, who works for Google’s Threat Analysis Group, the security research unit that investigates government-backed cyber threats, said Google is linking the code reuse to Russia because researchers have already observed the same cookie-stealing code used by APT29 in an earlier campaign in 2021.

A key question remains: How did the Russian government hackers obtain the exploit code? Google said that both iterations of the watering hole campaign targeting the Mongolian government used code that resembled or matched exploits from Intellexa and NSO Group. Both companies are known for developing exploits that can deliver spyware that can compromise fully patched iPhones and Android phones.

Google said the exploit code used in the watering hole attack targeting Chrome users on Android shared a “very similar trigger” with an exploit previously developed by NSO Group. In the case of the exploit targeting iPhones and iPads, Google said the code used “the exact same trigger as the exploit used by Intellexa,” which Google said strongly suggests that the authors or providers of the exploit “are the same.”

Asked by TechCrunch about the reuse of the exploit code, Lecigne said, “We do not believe the actor recreated the exploit,” ruling out the possibility that the exploit was discovered independently by Russian hackers.

“There are multiple possibilities as to how they could have acquired the same exploit, including purchasing it after it was patched or stealing a copy of the exploit from another customer,” Lecigne said.

Google said users should “patch promptly” and keep software up to date to help prevent malicious cyberattacks. iPhone and iPad users with the high-security Lockdown Mode feature enabled were not affected even when running a vulnerable software version, Lecigne said.

TechCrunch reached out to the Russian Embassy in Washington DC and the Permanent Mission of Mongolia to the United Nations in New York for comment, but did not hear back as of press time. Intellexa could not be reached for comment, and NSO Group did not respond to a request for comment. Apple spokesperson Shane Bauer did not respond to a request for comment.