Russian hackers hacked government officials’ LinkedIn through iOS vulnerability

Russia’s at it again. Google revealed that Russian hackers targeted government officials in March by exploiting an iOS vulnerability.

New details about the iOS vulnerability is being revealed from the initial exploitation made by Google in March.

State-sponsored hackers have used LinkedIn of all places to attack government officials by utilising this flaw.

Russian hacker group remains a mystery
Image: Twitter

On Wednesday, Google announced the attack in a blog post discussing the vulnerability of iOS, which also involved the Safari browser engine, Webkit.

Security researchers of the company discovered the flaw in mid-March and found indications a suspected ‘Russian government-backed actor’ was the one exploiting it.

CVE-2021-1879 is the scientific-sounding name of the vulnerability.

It made room for malicious computer code to infiltrate an iPhone. To trigger this code to attack, the victim would first need to visit a ‘booby-trapped’ website.

This is where LinkedIn comes in; the Russian hackers have seemingly pulled this off by tapping the professional social network used by millions worldwide.

Google stated:

“In this campaign, attackers used LinkedIn Messaging to target government officials from western European countries by sending them malicious links. If the target visited the link from an iOS device, they would be redirected to an attacker-controlled domain that served the next stage payloads.”

Has no one learnt from scam emails?

The website controlled by these attackers would first check if the visiting iPhone device were real.

Following, it would proceed to trigger the attack via the iOS vulnerability with the objective of account hijacking.

Google further explained:

“This exploit would turn off Same-Origin-Policy protections in order to collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook and Yahoo and send them via WebSocket to an attacker-controlled IP. The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated.”

It isn’t actually known whether this attack was successful or not.

Google’s security team reported the flaw to Apple, which they then patched on March 26th via an iOs update.

What Google hasn’t revealed is the name of this Russian hacking group.

Recently in May, Microsoft (which owns LinkedIn) coincided in blaming a Russian hacking group for exploiting the CVE-2021-1879 vulnerability.

Microsoft claims the group behind the attack is called ‘Nobelium’, also known as APT29 or Cozy Bear (which sounds like an episode of Black Mirror, no?).

The U.S has inklings that this group has ties to Russian intelligence services.

Additionally, Google also mentioned this incident in comparison to a disturbing increase in hackers exploiting previously unknown vulnerabilities, also known as zero-day exploits) to hit targets,

“Halfway into 2021, there have been 33 0-day exploits used in attacks that have been publicly disclosed this year — 11 more than the total number from 2020,” the company wrote.

Why is the increase occurring more rapidly now? Google partially attributed the increase to “improvements in detection and a growing culture of disclosure” within the security community.

On top of this, these hackers may also have greater access to more zero-day vulnerabilities, which can be attributed to the proliferation of commercial cyber-arms dealers.

The “maturation” of security technologies can also be another possible reason.

Since some products are becoming progressively more difficult to hack, cybercriminals and spies opt to use previously unknown vulnerabilities to exploit them,

 “Attackers needing more 0-day exploits to maintain their capabilities is a good thing — and it reflects increased cost to the attackers from security measures that close known vulnerabilities,” Google said.

However, Google suspects it only detects “a small percentage of the 0-days actually being used” worldwide. No immediate response was made from LinkedIn when requested for comment. And alas, this isn’t the first time a Russian hacker has messed with LinkedIn, and it won’t be the last.