Google: Russian state hackers used zero-day in iOS on Western politicians

Russian state hackers have used a zero-day in iOS to attack European politicians. The hackers were employed by the Russian intelligence service and exploited a vulnerability in WebKit to send politicians a phishing link via LinkedIn.

The vulnerability is one of four zero-days that were discovered by Google’s Threat Analysis Group. The TAG group discovered vulnerabilities in Chrome and Internet Explorer that the researchers said were being actively exploited. Those three vulnerabilities were bought from a commercial company by “a government”, although the company does not provide details. The three vulnerabilities were previously closed in Chrome and Internet Explorer after TAG had notified Microsoft.

Google also discovered a fourth zero-day. CVE-2021-1879 enabled cross-site scripting via WebKit in Safari. This disabled the Same-Origin-Policy, making it possible to steal authentication tokens for, for example, Microsoft or Facebook accounts within Safari. That vulnerability was also actively exploited.

According to the Google researchers, this was most likely caused by ‘a Russian APT’, an advanced persistent threat. They would use the leak to attack Western European politicians by sending them messages via LinkedIn containing phishing links. Although the company does not explicitly mention which hacker group it is in the blog post, the lead researcher says against Ars Technica that he ‘assumes’ that it is the same group that previously attacked Microsoft. It would be APT29, a group also called Nobellium and is affiliated with the Russian foreign intelligence service.

Google also warns in the blog post that there has recently been a large growth in the use of zero days by hacker groups. This year, 33 have already been found by Google so far. In all of 2020, there were only 22. “Groups no longer need just technical knowledge, but only resources,” the company writes.