State-sponsored hacking groups and commercial spyware vendors appear to be sharing exploits with one another, according to researchers with the Google security team.
Google's Threat Analysis Team report it recently observed an operation in which a number of Mongolian government organizations were targeted by a Russian state-sponsored APT with a suspiciously familiar set of known vulnerabilities.
After some review, the team was able to link those exploits with ones used by two of the most prominent commercial spyware.
“These campaigns delivered n-day exploits for which patches were available, but would still be effective against unpatched devices. We assess with moderate confidence the campaigns are linked to the Russian government-backed actor APT29,” wrote Google researcher Clement Lecigne.
“In each iteration of the watering hole campaigns, the attackers used exploits that were identical or strikingly similar to exploits previously used by commercial surveillance vendors (CSVs) Intellexa and NSO Group.”
According to Google, the operation was set up as a classic “watering hole” site in which a website was seeded with exploit code and then users were lured to the site via phishing emails.
Once exploited, the targets would be served with a number of trojans that would eventually try to steal information and eavesdrop on communications.
While an attack in Mongolia will likely be of little use to most administrators and network-defenders in the U.S., the fact that government-connected groups are using the same exploit code as commercial spyware groups should be of concern.
Though commercial vendors such as NSO Group and Intellexa maintain that they only sell their products to certain government and law enforcement organizations for means of legal surveillance, the products have been linked with sanctioned governments and criticized by both human rights and privacy advocates as tools for illegal surveillance and oppression.
Google noted that it is not immediately clear if these exploits were directly shared by the vendors, or if the Russian APT simply managed to lift and re-use the exploit code by some other means.
“While we are uncertain how suspected APT29 actors acquired these exploits, our research underscores the extent to which exploits first developed by the commercial surveillance industry are proliferated to dangerous threat actors,” explained Lecigne.
“Moreover, watering hole attacks remain a threat where sophisticated exploits can be utilized to target those that visit sites regularly, including on mobile devices.”