Google: Russian state hackers used zeroday in iOS on western politicians

Russian state hackers have used a zero day in iOS to attack European politicians. The hackers were employed by the Russian intelligence service and exploited a leak in WebKit to send politicians a phishing link via LinkedIn.

The vulnerability is one of four zero-days discovered by Google’s Threat Analysis Group. The TAG group discovered vulnerabilities in Chrome and Internet Explorer that, according to the researchers, were actively exploited. Those three vulnerabilities were bought from a commercial company by ‘a government’, although the company does not provide any details. The three vulnerabilities were previously patched in Chrome and in Internet Explorer after TAG notified Microsoft.

CVE-2021-21166 Object Lifecycle Issue in Chrome
CVE-2021-30551 Type confusion in V8 engine in Chrome
CVE-2021-33742 Remote code execution in MSHTML Platform in Internet Explorer

Google also discovered a fourth zero day. CVE-2021-1879 enabled cross-site scripting via WebKit in Safari. This disabled the Same-Origin-Policy, making it possible to steal authentication tokens for, for example, Microsoft or Facebook accounts within Safari. This vulnerability was also actively exploited.

According to the Google researchers, this was most likely due to ‘a Russian APT’, an advanced persistent threat. They would use the leak to attack Western European politicians by sending them messages via LinkedIn containing phishing links. Although the company does not explicitly mention the hacker group in the blog post, the lead researcher tells Ars Technica that he “assumes” that it is the same group that previously attacked Microsoft. It would be APT29, a group also called Nobellium and affiliated with the Russian foreign intelligence service.

Google also warns in the blog post that there has been a significant growth in the use of zero days by hacker groups of late. So far this year 33 have been found by Google. In all of 2020, there were only 22. “Groups no longer just need technical knowledge, but only resources,” the company writes.