Annoying LinkedIn Networkers Actually Russian Hackers Spreading Zero-Days, Google Says

Most LinkedIn spam is just annoying. But new research from Google suggests some of it was outright dangerous: Russian government hackers targeted European government officials with LinkedIn messages that contained malicious links designed to exploit unknown vulnerabilities in Windows and iOS, according to Google's report. 

Google's Threat Analysis Group published new research on Wednesday, detailing several hacking campaigns leveraging a series of zero-day exploits, meaning hacks that rely on vulnerabilities that are unknown to the developers of the targeted software. 

One of the hacking campaigns, the one targeting "government officials from western European countries," as Google put it, relied on a zero-day in WebKit, the browser engine developed by Apple, which is used in Safari and all the major browsers for iOS. This vulnerability (named CVE-2021-1879) was patched by Apple on March 26. 

As Motherboard reported in May, this year has been particularly bad when it comes to WebKit vulnerabilities exploited by hackers in the wild. 

When the targets of this campaign clicked on the malicious links sent via LinkedIn messages, they would visit a website controlled by the hackers, which triggered the exploit on their iPhones. The exploit was designed to steal authentication cookies from Google, Microsoft, LinkedIn, Facebook, and Yahoo, according to Google.

It's unclear how many people were targeted in this campaign, and how many were ultimately hacked.

In an email to Motherboard, Shane Huntley, the director of Google TAG, the group who did the research, said that they “don't have visibility into the success rates.” But he added that “each month, we send more than 4,000 warnings to our users about attempts by government-backed attackers or other illicit actors to infiltrate their accounts.”

Google described the hacking group as "likely Russian government-backed."

Huntley said that they were able to “strongly link aspects of the attacks to other previously known operations attributed to Russian government actors.”

The hackers were the same ones who targeted Windows users in a wide-scale email phishing campaign described by Microsoft in two reports published in May. At the time, Microsoft said that if the targets of that campaign clicked on the phishing email from an iOS device, they would be exploited with the WebKit exploit found by Google. 

In its report on Wednesday, Google researchers Maddie Stone and Clement Lecigne try to answer the question: why have there been so many zero-days exploited in the wild this year? According to Google's tally, there have been a total of 33 zero-days exploited in the wild in the first half of the year, compared to 22 which were detected overall last year. 

Stone and Lecigne speculate that one of the reasons could be that companies and researchers have gotten better at catching and detecting the exploits, which wouldn't necessarily mean that there are now more zero-days, just that the industry wasn't as good at catching them in the past. The two, however, believe it's "likely" that hackers are just using more zero-days, perhaps because platforms are so secure now that the only way to exploit it them is by finding unknown vulnerabilities, or because there are more vendors researching, buying, and selling these kind of capabilities, which usually take a lot of time to find and are expensive to buy and develop.

"Over the last decade, we believe there has been an increase in attackers using 0-day exploits," the researchers wrote. "Attackers needing more 0-day exploits to maintain their capabilities is a good thing—and it reflects increased cost to the attackers from security measures that close known vulnerabilities."

"Increasing our detection of 0-day exploits is a good thing—it allows us to get those vulnerabilities fixed and protect users, and gives us a fuller picture of the exploitation that is actually happening so we can make more informed decisions on how to prevent and fight it," they concluded. 

UPDATE, July 14, 2021, 12:43 p.m. ET: This story was updated to include comments from Google’s Shane Huntely.

Subscribe to our cybersecurity podcast CYBER, here.