Google has uncovered evidence that Russian government hackers, identified as APT29, are using spyware exploits originally developed by NSO Group and Intellexa. These exploits, which had previously been patched, were found embedded on Mongolian government websites in a watering hole attack targeting iPhones and Android devices between November 2023 and July 2024.

APT29, also known as Cozy Bear, is a notorious hacking group linked to Russia’s Foreign Intelligence Service (SVR). The group is known for its sophisticated cyber-espionage campaigns aimed at major tech companies, foreign governments, and critical infrastructure. Google’s Threat Analysis Group (TAG) revealed that APT29 used these exploits to steal user data, including passwords and account cookies, through vulnerabilities in the Safari browser on iPhones and Google Chrome on Android devices.

The attack involved hidden exploit code on websites frequented by Mongolian government employees. The stolen cookies from these visits could then be used to access personal and work accounts. Google highlighted that although the vulnerabilities had been patched, the exploits remained effective on devices that had not been updated.

A key concern raised by Google is how the Russian hackers obtained the exploits. The security firm noted that the exploits used by APT29 were either “identical or strikingly similar” to those developed by NSO Group and Intellexa. The reuse of these codes suggests that Russian hackers may have acquired the exploits through purchase or theft. Google ruled out the possibility that the exploits were independently recreated, given the complexity and specificity of the code.

Google emphasized the importance of keeping software up-to-date to prevent such attacks, particularly on high-risk devices. iPhone and iPad users with the Lockdown Mode feature enabled were not affected by the attack, even if they were running vulnerable software versions. This incident underscores the ongoing global risks associated with spyware technology and its potential misuse by state actors.