Google discovers Russian hackers using LinkedIn to target government officials

Google’s Threat Analysis Group has revealed that Russian hackers used LinkedIn messages to target government officials who owned Apple devices. 

The Russian hackers using LinkedIn messages previously have masked their attacks under the guise of the U.S. Agency for International Development and are linked to the hackers who breached SolarWinds computer network management software that compromised nine federal agencies, according to cybersecurity professionals. 

“In this campaign, attackers used LinkedIn Messaging to target government officials from western European countries by sending them malicious links,” Google’s Maddie Stone and Clement Lecigne wrote on the Threat Analysis Group’s blog. “If the target visited the link from an iOS device, they would be redirected to an attacker-controlled domain that served the next stage payloads.”

The hackers then worked to exfiltrate information from the officials’ usage of websites including Google, Microsoft, LinkedIn, Facebook and Yahoo, the analysts said.

Details about the hackers’ activity were first made public by Google on Wednesday in a disclosure of recent hacks leveraging previously unknown flaws, zero-day vulnerabilities, involving web browsers such as Apple’s Safari, Google’s Chrome and Microsoft’s Internet Explorer. 

Google identified the hackers leveraging LinkedIn as “a likely Russian government-backed actor” who Google said was the same threat actor that cybersecurity firm Volexity previously described as APT29, which is affiliated with the Russian Foreign Intelligence Service (SVR). 

The APT29 hackers behind the LinkedIn campaign were previously observed by Volexity targeting U.S. organizations with malicious links cloaked in emails that appeared to be sent by USAID. The Russian hackers compromised a USAID account and used it to target 3,000 email accounts at more than 150 different organizations, according to Microsoft, which owns LinkedIn.

Microsoft said in May that the hackers responsible for the USAID breach were behind the hack of SolarWinds computer network management software that compromised federal agencies. 

While Google first discovered the LinkedIn hacking campaign in March, disclosures of significant breaches continue all the time. For example, the Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday said it was aware of “multiple threat actors” exploiting a vulnerability in the Microsoft Windows Print Spooler service that the agency feared “may lead to full system compromise of agency networks if left unmitigated.” 

CISA’s alert required emergency action by civilian executive branch agencies, including stopping and disabling the print spooler service before midnight on Thursday morning. 

In addition to these hacks, the Microsoft Threat Intelligence Center said Tuesday it had observed a China-based hacking group launching “limited and targeted attacks” against SolarWinds software. 

The bevy of hacks comes as the Biden administration is preparing to officially blame someone for the hack of Microsoft Exchange servers that Microsoft has previously attributed to a state-sponsored group operating from China.

Deputy National Security Adviser Anne Neuberger said late last month that the federal government would identify the hackers responsible for the Microsoft Exchange server breach in the coming weeks.