Google: apparent Russian hackers play copycat to commercial spyware vendors

When experts on spyware outline the dangers of that snooping technology, they often note how vendors can put tools in the hands of their customers that are nearly as sophisticated as the capabilities of the most advanced cyber nations in the world.

Now, researchers have turned up a case where a likely Russian government-backed hacking crew has apparently embraced exploits first used by commercial spyware vendors (CSVs).

Google’s Threat Analysis Group published a blog post Thursday that details recent watering hole attacks, during which hackers infect a website to target its users, in this case Mongolian government websites. The report assesses with “moderate confidence” that the campaigns were the handiwork of APT29, a group that’s been linked to Russia’s Foreign Intelligence Service and that is sometimes also referred to as Cozy Bear or Midnight Blizzard. 

Google stated that the hackers used “n-day” exploits, or vulnerabilities that are publicly known but not yet patched.  In this case, the  former 0-day — or previously unknown — exploits were used by major commercial spyware producers.

“In each iteration of the watering hole campaigns, the attackers used exploits that were identical or strikingly similar to exploits from CSVs, Intellexa and NSO Group,” the report states. “We do not know how the attackers acquired these exploits. What is clear is that APT actors are using n-day exploits that were originally used as 0-days by CSVs.”

The campaigns occurred from November of last year to this July.

The last year-plus has brought a wave of government action to crack down on spyware abuses, from the United States’ executive order, to the publication of a European Union report, to Poland’s groundbreaking reckoning with its own spyware past. While there are signs the pressure is having an impact, Google’s report is evidence of the ongoing sophistication of commercial spyware vendors.

Some experts suggest that leading cyber nations like Russia have little need to buy commercial spyware technology. But it does offer less technologically advanced countries user-friendly and effective surveillance tools they couldn’t otherwise develop themselves. 

This wouldn’t be the first time that commercial spyware companies have outpaced nations themselves, with Google revealing in March that these vendors last year accounted for the majority of known exploited mobile and browser 0-day vulnerabilities.

Its Thursday report highlights the ongoing threat spyware vendors can pose.

“While we are uncertain how suspected APT29 actors acquired these exploits, our research underscores the extent to which exploits first developed by the commercial surveillance industry are proliferated to dangerous threat actors,” the report states.