Google has unveiled new details about an iOS vulnerability that was exploited in March. It turns out that a Russian state hacker could have used this flaw to target LinkedIn government officials.

Google claimed in a blog post Wednesday that it was discussing iOS vulnerabilities related to Safari’s browser engine Webkit. The company’s security researchers discovered the flaw on March 19 and found signs that “actors with Russian government support” were suspected of misusing it.

This vulnerability, called CVE-2021-1879, has allowed malicious computer code to run on the iPhone. However, to trigger an attack, the victim must first visit the booby trapped website. Russian hackers seem to have succeeded in doing this with LinkedIn, a professional social network used by millions of people.

“In this campaign, attackers used LinkedIn messaging to target government officials in Western Europe by sending malicious links,” Google wrote. “If the target accesses the link from an iOS device, it will be redirected to an attacker-controlled domain that provides the next stage payload.”

Attacker-controlled websites first check to see if the iPhone device they are visiting is genuine. Next, it launches an attack through a vulnerability in iOS for the purpose of account takeover.

“This exploit collects authentication cookies from several popular websites such as Google, Microsoft, LinkedIn, Facebook, and Yahoo and sends them to attacker-controlled IPs via WebSockets from the same origin. Turn off policy protection, “said Google. “Victims need to open a session on these websites from Safari in order to successfully steal cookies.”

It is unknown if the attack was successful. However, Google’s security team reported the flaw to Apple, which patched it through an iOS update on March 26th.

Google has withheld a name that allegedly exploited this vulnerability by a Russian hacking group. However, in May, Microsoft, which owns LinkedIn, also accused the Russian hacking group of abusing CVE-2021-1879. According to Microsoft, the group behind the attack is Nobelium (also known as APT29 or Cozy Bear), and the United States suspects it has something to do with Russian intelligence.

Google mentioned the incident while discussing a disturbing rise in hackers attacking targets by exploiting previously unknown vulnerabilities (also known as zero-day exploits). “In mid-2021, 33 zero-day exploits were used in the attacks launched this year, 11 more than the total since 2020,” the company wrote.

So why is it increasing? Google has partially attributed this rise to “improved detection and a growing culture of disclosure” within the security community. Hackers may also gain access to zero-day vulnerabilities thanks to the proliferation of commercial cyberweapon dealers.

Another possible reason is the “maturity” of security technology. Some products are difficult to hack, so cybercriminals and spies have no choice but to exploit previously unknown vulnerabilities. “It’s good that attackers need more zero-day exploits to stay functional, which reflects the increased cost of attackers due to security measures that close known vulnerabilities,” Google said. I added. That said, Google believes it has detected only “a small portion of the actual zero-day attacks in use” in the world.

LinkedIn did not immediately respond to the request for comment.

