Russian state hackers using cyberweapons developed by Western spyware firms


The Russian government-backed threat actor Cozy Bear is attacking governments using the same exploits and code used by commercial cyber surveillance companies Intelexa or NSO Group, infamous for the Pegasus spyware.

In November 2023, Cozy Bear, labeled as APT29, attacked Mongolian government websites using the same exploit with almost identical code to the one previously used by Intellexa, a commercial cyber-surveillance company, Google Threat Analysis Group (TAG) has discovered.

Intelexa first used the malicious code in September 2023 as a zero-day.

A month later, Cozy Bear compromised cabinet.gov[.]mn and mfa.gov[.]mn websites by adding a hidden iframe that delivered the exploit and a cookie stealer to iPhone users. The threat actor repeated the attack with the same Intelexa’s exploit in February 2024.

The exploit used the exact same trigger as the exploit used by Intellexa <...> strongly suggesting the authors and/or providers are the same. “We don’t know how attackers in the recent watering hole campaigns acquired this exploit,” TAG researchers said.

Russian hackers improved the code a bit. They added a failure mode, which sends information to the command and control center in case something goes wrong and then tries to crash the victim’s browser with an out-of-memory error. The Russian version also has an addition to collect more data from the target device.

code-tag

That was not the only occurrence of hackers using code crafted by commercial spyware firms.

In July 2024, Cozy Bear compromised the Mongolian government website again. This time, they delivered another exploit and information-stealing payload to Android users, inspired by the NSO Group.

The two chained vulnerabilities, used by NSO Group as an exploit, were discovered and reported in May 2024.

“Here the attacker adapted NSO Group’s exploit. Even though they share a very similar trigger, as seen in the screenshot below, the two exploits are conceptually different, and the similarities are less obvious than the iOS exploit,” researchers said.

code2-tag

Cozy Bear had an altered delivery approach and second-stage objectives. However, in each iteration of attacks the Russian attackers used exploits identical or strikingly similar to the exploits from spyware vendors.

“We do not know how the attackers acquired these exploits. What is clear is that APT actors are using n-day exploits that were originally used as zero-days by CSVs,” the Google TAG report reads.

Google TAG warns that sophisticated exploits, used by commercial spyware vendors, are proliferated to dangerous threat actors. While both vulnerabilities have been addressed, devices running vulnerable software versions can still be compromised.

“We urge users and organizations to apply patches quickly and keep software fully up-to-date for their protection,” the report said.

In addition to APT 29, Cozy Bear has gone under many aliases, including the Dukes, StellarParticle, UNC2452, and Dark Halo. This threat group has been attributed to Russia's Foreign Intelligence Service (SVR). Operating since at least 2008, Cozy Bear often targets government networks in Europe and NATO members. The devastating SolarWinds compromise has also been attributed to the same threat actor.