According to Google, SolarWinds hackers used the vulnerability to steal web security credentials from Western European government officials.
Google published a report on Wednesday to share details of its latest findings on the SolarWinds supply chain attack discovered in 2020.
The latest revelation is that SolarWinds hackers learned about and exploited an iOS zero-day vulnerability (tracked as CVE-2021-1879), which resided in the browser engine WebKit, to compromise updated iPhones and made millions from targeting phones worldwide.
Read more on the vulnerability’s previous coverage here.
Google researchers Maddie Stone and Clement Lecigne wrote that the threat actor(s) are most likely a Russian government-sponsored group that exploited a then-unknown iOS zero-day. It is suspected that the hackers are working for the Russian Foreign Intelligence Service.
Western European Governments the Key Targets
This cyberattack was reportedly part of an email campaign launched to steal web security credentials from Western European governments. The hackers sent messages to government officials via LinkedIn.
Google’s Threat Analysis Group head, Shane Huntley, confirmed that there’s indeed a connection between USAID attacks and iOS zero-day, despite the two entirely different campaigns.
“These are two different campaigns, but based on our visibility, we consider the actors behind the WebKit 0-day and the USAID campaign to be the same group of actors. It is important to note that everyone draws actor boundaries differently. In this particular case, we are aligned with the US and UK governments’ assessment of APT 29,” Huntley noted.
Both Windows and iOS Targeted
Microsoft researchers revealed that that Nobelium, the name the company uses to refer to SolarWinds attackers, sent malware to Windows users as well. They first compromised a USAID account that belonged to an online marketing company called Constant Contact.
They, then, sent emails using this account to addresses belonging to the US civilian foreign aid and development assistance administering organization.
On the other hand, the attackers targeted iOS versions 12.4 to 13.7. In this campaign, they redirected users to domains that deployed malicious payloads even to updated iPhones.
These payloads were tasked to collect authentication cookies from various websites, including Facebook, LinkedIn, Google, and Yahoo. The data was later sent to the hacker through a WebSocket.