Spyware Tools from NSO and Intellexa Used in Russian Government Hacks

Google has just revealed that Russian government hackers have been actively using exploits identical or closely similar to those created by spyware makers Intellexa and NSO Group. The significance of this lies in the fact that it emphasizes that exploits developed by commercial spyware vendors present dangers if they fall into the hands of malicious actors, including nation-state hackers. How exactly it was that the Russian government came to possess these exploits is not known, but it all calls into serious question the larger issue of the possible misuse of such tools for espionage and other acts of malice. The hacking group, known as APT29, is commonly linked to Russia’s SVR Foreign Intelligence service.

This is part of a fairly well-documented history of APT29 cyber espionage campaigns against high-profile organizations, including technology titans such as Microsoft and SolarWinds, among others, and numerous foreign governments. This is part of a campaign with some similarity to earlier ones that have been linked to APT29, which has involved the implantation of exploit code within websites belonging to the Mongolian government. Visitors to the infected websites, including those related to foreign and military affairs, between November 2023 and July 2024 ran the risk of having their devices compromised and their data being stolen in what is referred to as a “watering hole” attack. The vulnerabilities exploited in this campaign had already been addressed in updates for the Safari browser on iPhones and Google Chrome on Android devices.

There are still unpatched devices, suggesting the existence of a threat from out-of-date software. In this regard, with relation to iPhones and iPads, attacks were executed through Safari in the stealing of user cookies that could later be used to access their email accounts with the Mongolian government. Android users are exposed to a dual-exploit attack that is meant to steal Chrome browser cookies to support a similar unauthorized access. Google’s Threat Analysis Group (TAG), led by security researcher Clement Lecigne, identified a strong link between the exploit code used in this campaign and that previously observed in a 2021 operation by APT29.

This link has provoked Google to attribute the attack to that single group, raising suspicion that even the exploit code came from sources linked with Intellexa and NSO Group. What gives him pause is not so much the reuse of such advanced exploit code, but how those tools were acquired in the first place—whether by purchase, theft, or some other method. After all, technologies by NSO Group and Intellexa are typically sold to vetted government agencies only. To this day, Lecigne is clueless as to how Russian hackers could have possibly purchased the use of these exploits, although he outlines several theories—ranging from the potential that the code had been purchased post-patch to the possibility of having been stolen from another customer.

NSO Group, responding to inquiries about the case, would neither confirm selling their products to Russia nor detail which government entities it contracts with. However, the incident underscores the risks involved in using such powerful cyber tools. In response to this, Google said it’s time for its users to promptly patch the software to avoid being victims of similar attack. They also said that iPhone and iPad users with Lockdown Mode turned on were not vulnerable to the attack, regardless of whether they were running the software versions that contained the exploit.