Hackers linked to the Russian foreign intelligence service (SVR) used tools extremely similar to those developed by the companies NSO and Intellexa to exploit security vulnerabilities, Google’s cybersecurity division revealed in a report published Thursday, August 29. According to the company’s researchers, these were used in an elaborate campaign, probably targeting government officials in Mongolia.
From November 2023 to July 2024, hackers managed to insert malicious code into the web pages of two Mongolian government sites. This code was intended to steal the passwords and cookies of site visitors and, in particular, to retrieve the identifiers that allowed them to connect to the official email boxes of employees of the Mongolian Ministry of Foreign Affairs. The security flaws used by the malicious code had already been fixed by Apple and Google at the time, but they could still allow the theft of information from Internet users using outdated phones.
Russian intelligence services are often accused of hacking attempts against foreign ministries in other countries. But the campaign detailed by Google has a notable peculiarity: the computer code used is very similar, even in some places exactly the same, to the code already used shortly before in hacking tools developed by two private companies, Intellexa and NSO Group. So much so that Google researchers rule out the hypothesis that it could be a coincidence.
“Proliferation”
Intellexa and NSO Group are two of the leading private sector spyware developers. The Israeli company NSO Group notably publishes Pegasus, the powerful spyware that was used to spy on hundreds of people in France, including members of the French government, as revealed by Forbidden Stories and The world. Intellexa, a consortium of cyber surveillance companies based in Cyprus, markets, among other things, the Predator spyware.
Both companies have always maintained that they do not sell their products in Russia. NSO confirmed to the specialized site Techcrunch that its “The technologies are sold only to customers approved by U.S. and Israeli intelligence and research agencies.” The tools designed by the two companies could also have been copied by the authors of the campaign discovered by Google after being observed by Russian security services, or have been acquired from a source that also sold the same tools to NSO or Intellexa.
“We don’t know how APT29 [le groupe de pirates liés au SVR] was able to acquire these vulnerabilitiesGoogle writes, But our research shows how easily tools initially designed by private cyber surveillance companies can spread to dangerous actors. »
