Google has reported that Russian government hackers are employing exploits similar to those created by spyware companies NSO Group and Intellexa. The tech giant’s findings, detailed in a blog post, indicate that the Russian hacking group APT29, linked to Russia’s Foreign Intelligence Service (SVR), has utilized these exploits in their campaigns.
The exploits, discovered on Mongolian government websites between November 2023 and July 2024, targeted vulnerabilities in iPhone’s Safari browser and Google Chrome on Android devices. Users visiting these sites risked having their data, including passwords, stolen in what is known as a “watering hole” attack. The vulnerabilities had been patched by the time of the attack, but unpatched devices remained at risk.
Google’s Clement Lecigne explained that while the specific targets of the attack are unclear, Mongolian government employees are considered likely victims due to the nature of the compromised sites. Google’s analysis linked the exploits to APT29 due to similarities with code observed in earlier attacks by the group.
The report raises concerns about how Russian hackers obtained these exploits, suggesting they may have acquired them through purchases or theft from other users of the spyware. Google urges users to keep their software updated to mitigate such risks. Requests for comment from Intellexa, NSO Group, Apple, and relevant government bodies were not returned by press time.
Philips Babatunde