Commercial Spyware Vendors Have a Copycat in Top Russian APT
Russia's Midnight Blizzard infected Mongolian government websites to try to compromise the devices of visitors, using watering-hole tactics.
APT29 is an espionage-focused threat actor associated with Russian intelligence, making its tactics relevant to understanding state-backed cyber risk.
Search across headline titles and summaries.
Background for this topic.
APT29 is a sophisticated cyber espionage group linked to a nation-state, known for stealthy, long-term intrusions targeting government agencies, think tanks, and research institutions. They employ custom malware, zero-day exploits, and social engineering to gain initial access and maintain persistence, often using legitimate credentials to avoid detection. Their operations focus on intelligence collection rather than immediate disruption or destruction.
Security teams should watch for signs of credential compromise, lateral movement, and covert data exfiltration associated with APT29 activity. Defenses that emphasize multi-factor authentication, network segmentation, and behavioral anomaly detection can reduce risk. Understanding APT29’s tactics, techniques, and procedures (TTPs) enables more effective threat hunting and tailored monitoring to detect and mitigate espionage campaigns early.
Russia's Midnight Blizzard infected Mongolian government websites to try to compromise the devices of visitors, using watering-hole tactics.
Russia's Midnight Blizzard infected Mongolian government websites to try to compromise the devices of visitors, using watering-hole tactics.
In a campaign targeting Mongolian government websites, Russian-backed APT29 leveraged exploits previously used by spyware vendors NSO Group and Intellexa
Google researchers note the similarities, can't find a link Google's Threat Analysis Group (TAG) has spotted a disturbing similarity in attack tactics used by commercial spyware vendors and Russia-linked attack gangs.…
The Russian state-sponsored APT29 hacking group has been observed using the same iOS and Android exploits created by commercial spyware vendors in a series of cyberattacks between November 2023 and July 2024. [...]