Google has uncovered alarming evidence that Russian government hackers are using sophisticated exploits closely linked to those developed by notorious spyware makers Intellexa and NSO Group. 

The tech giant revealed this troubling discovery in a blog post on Thursday, Aug. 29, shedding light on the growing threat of state-sponsored cyberattacks.

Russian Hackers Leveraging Spyware Exploits

Google's Threat Analysis Group (TAG) identified that the Russian cyber espionage group, APT29, is deploying exploits that are "identical or strikingly similar" to those created by Intellexa and NSO Group. 

APT29, widely associated with Russia's Foreign Intelligence Service (SVR), is known for its persistent and highly skilled campaigns targeting foreign governments, tech companies, and other high-value entities.

The exact method by which the Russian government obtained these powerful exploits remains unclear. However, Google emphasized that this case highlights the dangers of spyware code falling into the hands of malicious actors.

Related Article: Pegasus Malware Spying on Kremlin Critics: EU Journalists, Activists Hit: Report

Watering Hole Attack Targets Mongolian Government

Google's investigation revealed that these exploits were embedded in Mongolian government websites between November 2023 and July 2024. Visitors to these sites using iPhones or Android devices were at risk of having their devices compromised in a "watering hole" attack—a tactic where attackers infect websites likely to be visited by their targets.

The exploits took advantage of known vulnerabilities in the Safari browser on iPhones and Google Chrome on Android devices. Although these vulnerabilities had been patched by the time of the Russian campaign, unpatched devices remained vulnerable to attack.

Specific Targets and Methods of Attack

The attacks targeting iPhones and iPads were designed to steal user account cookies stored in the Safari browser, particularly those associated with online email providers used by the Mongolian government. These stolen cookies could grant the attackers unauthorized access to government accounts.

For Android devices, the attackers employed two distinct exploits to steal cookies stored in the Chrome browser. Google's researchers linked the reuse of this cookie-stealing code to APT29, citing previous observations of similar tactics used by the group in 2021.

Unanswered Questions: How Did Russia Obtain the Exploits?

One of the most pressing questions arising from Google's findings is how the Russian government hackers acquired the exploit code. 

Both the Safari and Chrome exploits closely resemble those developed by Intellexa and NSO Group, companies known for creating spyware capable of compromising even fully patched devices.

Google's analysis suggests that the exploit code used in the watering hole attacks shares a "very similar trigger" with earlier exploits developed by NSO Group. Additionally, the code targeting iPhones and iPads utilized the "exact same trigger" as an exploit created by Intellexa, strongly indicating that the same authors or providers were involved.

As per Clement Lecigne, a security researcher from Google, the team does not believe that the state-sponsored hackers recreated the exploit.

"There are multiple possibilities as to how they could have acquired the same exploit, including purchasing it after it was patched or stealing a copy of the exploit from another customer," Lecigne told TechCrunch.

Importance of Staying Updated

Google emphasized the importance of keeping software up-to-date to prevent such cyberattacks. Users should apply patches promptly to safeguard their devices from known vulnerabilities. 

Interestingly, iPhone and iPad users with Apple's high-security Lockdown Mode enabled were reportedly unaffected by the attack, even if they were running a vulnerable software version.

Read Also: US Offers $10 Million for Capture of Russian Civilian Accused of Helping GRU Spies in Cyberattacks on Ukraine