A report from Google’s Threat Analysis Group (TAG) reveals a significant overlap in the tools used by government-backed hacking groups and commercial surveillance vendors (CSVs). The analysis of four in-the-wild 0-day vulnerabilities exploited in 2023 shows that the same sets of exploits were repeatedly used by both types of actors, indicating a sharing of capabilities that blurs the lines between them.
The report, titled “Paying for an APT? Commercial surveillance vendors and the new proliferation of 0-day exploits,” details how access to sophisticated cyber weapons is no longer limited to the most resourced government agencies. The growth of the commercial spyware industry has led to a wider proliferation of these tools.
Shared iOS Exploit Chain Targets Users in Egypt
One documented case involved a sophisticated exploit chain targeting iOS. This chain was first observed being delivered by a commercial vendor. The attack targeted individuals in Egypt with links sent via SMS messages, leading to landing pages on infrastructure associated with the spyware vendor Cytrox. Just days later, TAG discovered the exact same exploit chain being deployed by a different actor: a state-backed group from the United Arab Emirates (UAE). This group also targeted iOS users in Egypt using one-time links sent through SMS, demonstrating direct reuse of the exploit.
Vulnerabilities in Android and Chrome
The pattern of reuse extends beyond iOS. Another example highlighted by TAG is a vulnerability in the Arm Mali GPU driver, tracked as CVE-2023-4211. The exploit for this bug was developed by a commercial surveillance vendor and was observed being delivered in-the-wild. The vulnerability was patched by Arm in August 2023 and subsequently by device manufacturers like Samsung. The report also documents the exploitation of a Chrome vulnerability, CVE-2023-2136, by commercial vendors. This evidence supports the finding that the commercial market is a key driver in the proliferation of advanced exploits across different platforms.
Concise Cyber 