The Russian hacking group Cozy Bear, also known as APT29, is using exploits and code developed by Western cyber surveillance companies such as Intelexa and NSO Group to attack government networks, according to the Google Threat Analysis Group (TAG).
Cozy Bear, a cyber threat group that operates with the support of the Russian government, used exploits developed by commercial cyber surveillance companies to attack government sites in Mongolia. In November 2023, Cozy Bear attacked Mongolian government websites using the same exploit previously used by Intelexa. In February 2024, the attack was repeated, and in July 2024, Russian hackers used another exploit inspired by the activities of the NSO Group.
The hackers modified the code to add a crash mode that sends information to the command center in case of an error and tries to cause the victim’s browser to crash. These attacks demonstrate how zero-days and exploits developed by commercial spyware vendors can be used by malicious actors such as APT29 to launch cyberattacks.
Google TAG urges users and organizations to immediately apply patches and keep their applications up-to-date to prevent such attacks.