Russian State-Backed Hackers Using the Same Techniques as Spyware Makers
A recent report from Google reveals that Russian state-sponsored hackers, known as APT29 (also called Cozy Bear, Midnight Blizzard, or Nobelium), are using hacking methods that closely resemble those used by commercial spyware makers. This group was behind a major attack on Microsoft earlier this year, and their tactics are raising concerns.
Google’s Threat Analysis Group tracked APT29's activities between November 2023 and July 2024. During this period, they noticed the group targeting websites belonging to the Mongolian government. The hackers used methods similar to those employed by companies like NSO Group and Intellexa—well-known for creating powerful spyware like Pegasus and Predator. These techniques allowed the hackers to infiltrate devices by stealing browser cookies on iPhones and Android phones.
The Google team found that the exploits used by APT29 were "identical or strikingly similar" to those used by these commercial surveillance vendors. This discovery hints at a possible connection between the Russian hackers and the companies that sell these hacking tools to governments.
Exploits Used After Security Flaws Were Patched
Spyware creators like Intellexa and NSO Group have previously been criticized for their involvement in creating tools that can be used by governments to spy on activists, dissidents, and other countries. It's still unclear whether APT29 hacked into these companies, copied their techniques, or had some other form of contact with them. As Google researcher Clement Lecigne put it, "We do not know how the attackers acquired these exploits."
What is clear is that APT29 used these techniques to target vulnerabilities in iOS’s WebKit and Google’s Chrome browser shortly after the flaws were discovered and patched by the developers. The situation highlights the ongoing challenge of keeping up with sophisticated hacking methods that can be used by both state actors and commercial entities.